In RSA Authentication Agent before 7.4.7, service paths and shortcut paths may be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks. An adversary can place an executable in a higher-level directory of the path, and Windows will resolve that executable instead of the intended executable.
When the path to a service executable or shortcut contains spaces and is not enclosed in quotes, Windows attempts to sequentially resolve each segment of the path as a separate executable file. An attacker can place a malicious executable file in a directory higher than the target program, and Windows will execute that file instead of the legitimate one. This technique (unquoted service path) allows for takeover of a process typically executed with system privileges.
An attacker can execute arbitrary code in the context of a privileged process (e.g., SYSTEM), which in practice means complete takeover of the system, including the ability to perform privilege escalation, steal authentication credentials, and install malicious software.
RSA Authentication Agent for Windows should be updated to version 7.4.7 or later. The update package is available in the vendor references (community.rsa.com). Until the patch is deployed, it is recommended to restrict local system access exclusively to authorized users and monitor system directories for unexpected executable files.
RSA Authentication Agent for Windows versions prior to 7.4.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HRsa Authentication Agent For Windows
APPRsa< 7.4.7
Related vulnerabilities
EMC RSA Authentication Agent 7.1.x before 7.1.2 on Windows does not enforce the Quick PIN Unlock timeout featu...
Archer Platform 6.3 before 6.11 (6.11.0.0) contains an Improper Access Control Vulnerability within SSO ADFS f...
RSA Archer, versions prior to 6.6 P2 (6.6.0.2), contain an improper authentication vulnerability. The vulnerab...
RSA Netwitness Platform versions prior to 11.2.1.1 and RSA Security Analytics versions prior to 10.6.6.1 are v...
EMC RSA Authentication Agent for Web: Apache Web Server version 8.0 and RSA Authentication Agent for Web: Apac...