Notified:  May 06, 2005 Updated: May 11, 2005

Status

Unknown

Vendor Statement

RSA Security has recently discovered and fixed a potential security vulnerability in the following RSA Authentication Agent for Web software: - RSA Authentication Agent 5.3 for Web for IIS This issue has been addressed and thoroughly qualified by RSA Security. RSA Security is not aware of any security breaches resulting from this vulnerability. Description: - The RSA Authentication Agent for Web 5.3 for IIS can be exploited with a heap overflow condition Implication: - A heap overflow condition causes IIS to crash on Windows 2000 Action Taken by RSA Security: RSA has created a security patch to eliminate this vulnerability to be applied to the following: - RSA Authentication Agent 5.3 for Web for IIS Recommendation: RSA Security recommends that all customers currently using RSA Authentication Agents 5.3 for Web software apply the security patches available now on the RSA SecurCare Online site. Doing so eliminates this vulnerability. Getting Security Fixes: To get this new patch and documentation, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com and click "Downloads" in the left navigation menu. Then, click "Fixes by Product", click "RSA SecurID", and "Authentication Agent 5.x", and select the downloads and documentation that pertain to your environment.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.