Entrust Authority Security Manager contains a vulnerability that could allow a master user to change the password of another master user. A master user could exploit this vulnerability to perform operations that otherwise require authorization by multiple master users.
Entrust Authority Security Manager (EASM) is a public-key infrastructure (PKI) that includes a certificate authority (CA). EASM defines several privileged master users that have the ability to perform sensitive master user functions on the CA. Sensitive master user functions can be configured to require multiple authorizations by master users.
Changing the password of a master user is considered to be a sensitive operation that requires multiple authorizations. Under certain conditions, possibly involving the command line interface (CLI), the multiple authorization requirement is not enforced, allowing a single master user to change the password of another master user.
A single EASM master user could change the password of another master user, thereby gaining the ability perform sensitive operations that require multiple authorizations. This could allow a master user to stop EASM services, causing a denial of service.
Upgrade or Patch
This issue is resolved with mandatory upgrade 6.0.1 released on July 2, 2002.
This vulnerability was analyzed and reported by Keith Sollers of Ernst and Young.
This document was written by Art Manion.
|Date First Published:||2003-04-04|
|Date Last Updated:||2003-06-27 15:39 UTC|