FOREGROUND SECURITY, SECURITY ADVISORY 2011-002
– Original release date: September 21, 2011
– Discovered by: Jose Carlos de Arriba – Senior Security Analyst at Foreground Security
– Contact: (jcarriba (at) foregroundsecurity (dot) com, dade (at) painsec (dot) com)
– Severity: 9.7/10 (Base CVSS Score)
Authenex A-Key/ASAS Web Management Control 220.127.116.11 (latest) – Time-based SQL Injection.
Authenex provides enterprises and enterprise IT managers and staff with a wide range of products that help
keep both their networks and data secure. Authenex solutions enable users to securely and efficiently
access network assets and personal, sensitive data anytime, anywhere. The Authenex suite of
applications can be leveraged by a variety of USB and non-USB tokens.
The Authenex Web Management Control allows users of Authenex A-Key (OTP Tokens for 2-factor
authentication) and ASAS products to manage their OTP tokens and change user information (credentials,
activate tokens, etc).
The Authenex Strong Authentication System (ASAS®) is a network security application that provides
strong (two-factor) authentication for LAN, remote, VPN and web access. The ASASR System helps keep your
networks secure by requiring your users to use their A-Key™ tokens to authenticate via One-Time
Password (OTP) whenever they want remote or LAN access to networks, web sites, portals, OWA servers, etc.
The ASASR System utilizes an authentication server and database, as well as the A-Key™ token as the
basis for the most secure, easy to use, simple to administer and cost-effective two-factor
authentication solution available today.
The A-Key™ 4800 tokens are USB tokens that enable users to store data in encrypted memory (4 or 8
gigabytes) and safely take that data wherever they go. All data on an A-Key™ token is safe from
unauthorized use and from theft. The A-Key™ token is password-protected and all data is encrypted.
Also, the token has brute force penetration protection: if someone tries to log in to the token and fails a
predefined number of times, the token will self-erase. This feature resides at the hardware level and
cannot be altered.
IV. PROOF OF CONCEPT
POST DATA: rgstcode=1111111111111111&username=a’; WAITFOR DELAY ‘0:0:30’–
V. BUSINESS IMPACT
An attacker would be able access the Authenex database, dump all the OTP tokens, users information
including credentials, etc.
Also, depending upon the database configuration the attacker would be able to access other databases or
get a shell on the system.
VI. SYSTEMS AFFECTED
Authenex Web Management Console 18.104.22.168, (latest version available according to the vendor).
Authenex ASAS 22.214.171.124
Authenex ASAS 126.96.36.199 (latest version available).
Prior versions and other products using the Web Management Console for A-key Tokens may be affected.
– Apply the security patches available at http://support.authenex.com/
Authenex customers can download the Security Bulletins and patches related to this vulnerabilty at http://support.authenex.com/
This vulnerability has been discovered by Jose Carlos de Arriba (jcarriba (at) foregroundsecurity (dot)
com, dade (at) painsec (dot) com).
X. REVISION HISTORY
– September 21, 2011: Initial release.
XI. DISCLOSURE TIMELINE
July 26, 2011: Vulnerability discovered by Jose Carlos de Arriba.
September 7, 2011: Vendor contacted by phone.
September 7, 2011: Security advisory sent to vendor providing the vulnerability details.
September 9, 2011: Vendor contacted us to notify the availability of a patch and to request as to check it.
September 9, 2011: Vulnerability fix checked and fixed.
September 16, 2011: Security Update released by vendor.
September 21, 2011: Security advisory released.
XII. LEGAL NOTICES
The information contained within this advisory is supplied “as-is” with no warranties or guarantees of
fitness of use or otherwise.
Jose Carlos de Arriba, CISSP
Senior Security Analyst
jcarriba (at) foregroundsecurity (dot.) com