Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
|
|
|
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
|
|
|
|
|
|
|
|
|
|
|
Microsoft Outlook Web Access With SecurID Authentication May Allow Remote Users to Avoid the SecurID Authentication in Certain Cases
|
Date: Mar 29 2002
|
Impact: User access via network
|
Exploit Included: Yes
|
Description: An authentication vulnerability was reported in Microsoft Outlook Web Access (OWA) when used with RSA's SecurID authentication tokens. In certain cases, a remote user with a valid OWA password can avoid using their SecurID password.
It is reported that a remote user that is authenticated using both the SecurID token and the OWA password can disconnect and then
attempt to reconnect using a different OWA account. This will apparently yield an error page that indicates the following:
"Your
NT username (xxxxx) does not match your SecurID username (yyyyy)."
If the user reloads this error page multiple times, the user
will eventually gain access to the mailbox of user 'xxxxx' using the appropriate OWA password but without having to authenticate
with SecurID password for the 'xxxxx' user.
Both Microsoft and RSA have reportedly been notified.
|
Impact: In a certain situation, a valid and authenticated remote user can access another user's OWA account by supplying the other user's OWA password but without having to supply the other user's SecurID password.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.microsoft.com/technet/security/ (Links to External Site)
|
Cause: Authentication error
|
Underlying OS: Windows (NT), Windows (2000), Windows (XP)
|
Reported By: "Scalise, Marzio" <marzioscalise@KPMG.IT>
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 26 Mar 2002 14:47:50 +0100
From: "Scalise, Marzio" <marzioscalise@KPMG.IT>
Subject: Authentication with RSA SecurID and Outlook web access
|
I've found a strange authentication problem using SecurId and Outlook Web
Access (OWA) on windows 2k in a client company.
this is the normal procedure for reading the OWA mailbox:
- SecurId Authentication, RSA token, username, pin
- Logon page for OWA
- OWA Authentication using username/password
- Read mail
This is what i do normally, and it works fine. However when i disconnect and
then reconnect using a different OWA account on the OWA Authentication page
i get the following error :
"Your NT username (xxxxx) does not match your SecurID username (yyyyy)."
When i then reload the error page multiple times i eventually get access to
the mailbox of (xxxxx).
I do not need the SecureId pass of the second NT user to get access, only
the OWA password.
Microsoft and SecurId was informed
Regards
Marzio Scalise
KPMG Information Risk Management - Italy
> __________________________________________________
> Marzio Scalise
> Information Risk Management
> KPMG S.p.A.
> Corso Vittorio Emanuele II 48
> 10123 Torino
> Italy
> e-mail: marzioscalise@kpmg.it
> pgp key is available at:
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x606359A9
> ____________________________________________
**************************************************************************
The information in this email is confidential and may be legally
privileged.
It is intended solely for the addressee. Access to this email by
anyone else is unauthorized.
If you are not the intended recipient, any disclosure, copying,
distribution or any action taken or omitted to be taken in reliance
on it, is prohibited and may be unlawful. When addressed to
our clients any opinions or advice contained in this email are
subject to the terms and conditions expressed in the governing
KPMG client engagement letter.
**************************************************************************
|
|
Go to the Top of This SecurityTracker Archive Page
|
