RSA Secure Directory Server Patch
RSA Security has recently fixed a security vulnerability in the Secure
Directory Server, a component of the RSA Keon Certificate Authority
(KCA) and RSA Keon Registration Authority (KRA).
The vulnerability makes possible a Denial of Service (DoS) attack
against the Secure Directory Server through the LDAP interface.
Most customers will have KCA/KRA behind a firewall and not allow
external access to the LDAP ports on the KCA/KRA, so will not be
externally vulnerable, however the fix should still be applied
immediately.
Similar vulnerabilities were present in almost every implementation of
LDAP as publicized in CERT advisory CA-2001-18
http://www.cert.org/advisories/CA-2001-18.html. RSA is not
mentioned in this advisory, but we took proactive steps based on this
information to ensure that any similar issues in our Secure Directory
Server were addressed.
RSA Security has isolated and corrected the vulnerability and is
releasing a hot fix for the Secure Directory Server on Monday August
20, 2001.
RSA recommends that customers using any version of the KCA or
KRA install the hot fix immediately.
RSA Security is committed to delivering high quality and secure
products and is confident that we have fixed this vulnerability. The
latest release of the Secure Directory Server (xudad) will be available
for download through SecurCare Online on Monday morning.
RSA Security strongly encourages each of you to proactively share
this information with your customers.
RSA Security is not aware of any security breaches resulting from
this vulnerability.
