.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
CS Guide: Handling and Escalation Procedures for Security Vulnerabilities in RSA Products
Issue
An RSA product reportedly contains one or multiple security vulnerabilities.An RSA product embeds a third-party component that has a security vulnerability.
Keywords to identify security vulnerability:
- Column 1: Arbitrary Code Execution
- Column 2: Compliance audit
- Column 3: Privilege Escalation
- Column 4: Session Hijacking
- Column 1: Authentication Bypass
- Column 2: Directory Traversal
- Column 3: Port Scanners e.g.Nmap
- Column 4: SQL Injection
- Column 1: Authentication Spoofing
- Column 2: Denial of Service (DoS)
- Column 3: Pentesting
- Column 4: Vulnerability
- Column 1: Buffer Overflow
- Column 2: Exploitation
- Column 3: Remote Code Execution
- Column 4: Weak Ciphers
- Column 1: Brute Force Attacks
- Column 2: Information Disclosure
- Column 3: Security Audit
- Column 4: Weak Encryption
- Column 1: Cross-Site Scripting (XSS)
- Column 2: Login Bypass
- Column 3: Security Bypass
- Column 4:
- Column 1: Code injection
- Column 2: Network Scanners e.g. Nessus, QualysGuard,
Retina, Foundstone - Column 3: Security patch
- Column 4:
- Column 1: CVE ID
- Column 2: Plaintext Password
- Column 3: Security risk
- Column 4:
Resolution
- Determine customer issue is a security vulnerability condition using the identified key words as described above.
Note: Some issues may be classified by RSA Product Security Incident Response Team (PSIRT) as security defects rather than security vulnerabilities. For more details, refer to
PSIRT guidance for handling non-vulnerability security weakness. Also refer to
PSIRT guidance for parsing and reporting vulnerability scan reports.
- For a security vulnerability, the Case priority must be set to HIGH. Severity of the Case should be set according to the published definition of severity levels (refer to Defining Case Severity Levels on RSA Link).
- Search for an existing resolution:
- Review the list of Product and Security Advisories, or search for the CVE number on RSA Link (https://community.rsa.com).
- Check Release Documentation to see whether the issue has been resolved.
- Check knowledgebase for resolution.
- Search the knowledge base by CVE # (Example of a CVE Identifier: CVE-1999-0517).
- Check the Engineering defect tracking system for a resolution, if one cannot be found in the knowledge base.
- Provide the response to customer IF a solution was previously made available externally in any of the following ways:
- Solution found on RSA Link in a Product or Security Advisory.
- Solution found in Release Documentation.
- Solution found in an external facing knowledgebase.
- Solution found in the knowledgebase marked as internal-only but includes statement(s) for communicating to customers.
- Report the issue to Engineering and PSIRT IF no customer facing response is available; for example, in the following scenarios:
- No reference found on RSA Link, Product or Security Advisories, Release Documentation
- No reference found in the knowledgebase.
- Reference is found in the knowledgebase but the article is marked as internal only AND there is no statement available for customer communication.
- No reference found in Engineering bug tracking system.
- Reference is found in Engineering bug tracking system but the issue is either unresolved or no customer facing response is available. Any response back to the customer must be vetted by PSIRT/Engineering (Product Vulnerability Response Champion).
- How to report the issue to Engineering and PSIRT:
- Create a new Engineering ticket in the bug tracking system (such as JIRA). For some product support teams (e.g., SecurID), the Support Case may need to be escalated to Tier 2 for reporting to Engineering. Follow the Case handling process for your team. Make sure all information provided to PSIRT (Step 6b) is also saved in the Engineering ticket.
- Report the issue to PSIRT by submitting the following required information via email to responsibledisclosure@rsa.com. A PSIRT Ticket (in RSA JIRA) will be created by a member of the team and provided for your tracking purposes.
- Product Name.
- Product Type: Software or Appliance/Virtual Appliance.
- Product Versions.
- Summary.
- RSA Salesforce Case Number.
- Customer Name.
- Engineering Defect/Bug Number.
- Source of Detection: Vulnerability Scanner, Penetration Test/Security Audit, Other.
- Description of the Vulnerability.
- Steps to Reproduce the Vulnerability.
For Third Party Component issues please include these additional fields:
- Name of Third-Party Component.
- Operating System Impacted.
- CVE Identifiers.
- How is the Component used? Shipped with or Installed by RSA Product or Customer Installed/Managed Component.
NOTE: Once a PSIRT ticket is created in the RSA JIRA, the reporting CS representative will be given access to the ticket for monitoring progress. The PSIRT will work with the product Engineering team to collect a product impact statement. Do not share any information from the ticket with customers without consultation with PSIRT. All information in the PSIRT ticket is considered "Internal Use Only". For any questions or issues, contact PSIRT (at responsibledisclosure@rsa.com).
- When an official response vetted by PSIRT/Engineering is available in the PSRC ticket, create/update a new internal-only knowledgebase article using the Security KB template as directed by the PSRC. Information on creating a Security KB article can be found on RSA Link at https://community.rsa.com/docs/DOC-41361. For false positives, follow the guidelines available on RSA Link at https://community.rsa.com/docs/DOC-75294.
- Once an official response has been approved by PSIRT/Engineering (Product Vulnerability Response Champion), communicate the response back to the customer.
- Close the case, provide specific resolution codes using the following guidelines (refer to Salesforce Playbook on RSA Link and Resolution Codes on Inside Dell):
- Column 1:
Response
- Column 2:
RSA Product
- Column 3:
Embedded Component
- Column 4:
Response Details
- Column 5:
Resolution Code
- Column 1:
Not Applicable
- Column 2:
X
- Column 3:
X
- Column 4:
False positive. Provide explanation.
- Column 5:
Vulnerability - Not Applicable
- Column 1:
Not Exploitable
- Column 2:
X
- Column 3:
X
- Column 4:
The flaw exists but it is not exploitable. Provide explanation.
- Column 5:
Vulnerability - Not Exploitable
- Column 1:
Remedy in Progress
- Column 2:
X
- Column 3:
X
- Column 4:
The RSA product embeds the vulnerable code/component. RSA is working on a solution to address the issue and will provide regular status updates.
- Column 5:
Vulnerability - Remedy in Progress
- Column 1:
Impacted - Apply RSA Remedy
- Column 2:
X
- Column 3:
- Column 4:
Provide details on patch, upgrade, downgrade, workaround, hot fix.
- Column 5:
Vulnerability - RSA Remedy
- Column 1:
Impacted - Apply Vendor Remedy
- Column 2:
- Column 3:
X
- Column 4:
The component is a prerequisite to run the RSA product, but there is no known or expected effect on the RSA product when applying the vendor supplied security patch.
- Column 5:
Vulnerability - Vendor Remedy
Notes
Training available on Dell EMC Education and Development site:
- RSA CS Security Vulnerability Response Process Training: https://education.emc.com/index_login.htm?id=914342921 (use Internet Explorer)
- Introduction to Vulnerability Response: https://dell.sabacloud.com/Saba/Web_spf/PRODTNT091/common/ledetail/cours000000000376831 (use Internet Explorer)
References:
- Product Vulnerability Response Standard: https://inside.dell.com/community/active/rsa/security-and-risk-office/overview
- RSA Vulnerability Response Policy: https://www.rsa.com/en-us/company/vulnerability-response-policy
Product Details
THIS SOLUTION IS FOR INTERNAL USE ONLY - DO NOT DISTRIBUTEAll RSA Products
Security Vulnerability
Summary
CS Guide: Handling and Escalation Procedures for Security Vulnerabilities in RSA Products
Approval Reviewer Queue
Non-Product Approval Queue