Bypassing RSA Securid publishing in ISA 2004 for OWA 2003 after lo

When publishing MS Exchange 2003 OWA (with or without FBA activated on the
Exchange server) through ISA 2004 SP1 or SP2 - I have noticed the following
issues when using the built-in RSA agent that default comes with ISA to make
RSA SecurID authentication instead of FBA through the ISA.

The issues has also been seen without FBA activated on Exchange and is
suspected to be RSA related - but they refuse to handle the issue and directs
me to Microsoft who bought the software from RSA to built into ISA 2004.

(SSO is not used - and pure RSA SecurID login is first made through the ISA
2004 - before the OWA FBA login using Windows domain credentials is presented
for a second login into OWA):


1) Bypass of the RSA login-page after Cookie timeout and regaining access to
OWA without a new RSA login!

This procedure consequently gives access to the OWA login page without any
SecurID re-authentication.
In some rare situations direct access without any MS authentication to the
last opened mailbox has been seen!!!

The RSA cookie just doesn`t seem to expire - even after several days.

The only way to ensure a new RSA auth. is to close the browser and start
from fresh.

However - closing the browser is often not possible on public Kiosk
terminals - so there is a potential risk for someone gaining access to the
mailbox using the "static" MS password, which might have been captured by a
nasty keylogger or just nrute-forced.
SSL is of course being used but there also tools that can create a
man-in-the-middle attack on the SSL session and easily get the password.
That´s why I do not rely on the MS password only.

The issue:
When manually logging off or when the expiration timeout triggers logoff:

- In the browser that has OWA open click "Refresh" or the "Back" button and
the RSA login-page is shown.

- Click "Back" once or twice again - and a web page with an URL like:

https://owa.domainname.net/WebId.dll{56DBC6B7-99FB-4AC5-B69F-6B45E874F8B3}
is shown:

"Warning: Page has Expired"

"The page you requested was created using information you submitted in a
form. This page is no longer available. As a security precaution, Internet
Explorer does not automatically resubmit your information for you.

To resubmit your information and view this Web page, click the Refresh
button. "

- Click the "Refresh" button as told on the web-page

- Click "Retry" on the pop-up

- The RSA redirect page is briefly shown - and then OWA FBA is presented!
Note:
In some examples direct acces into the mailbox has been gained WITHOUT even
logging in via FBA ot bu standard login.


2) Username automatically shown on the RSA login page

The RSA SecurID username that was entered at the RSA web-page at the initial
connection and login are sometimes automatically shown/typed into the
username-field of the RSA login page when the RSA timeout has expired and a
new RSA login is presented as required.
The user doesn`t have to enter the username - only the passcode.

At new, fresh connections the username is not shown.

The automatically shown username is a serious security issue when accessing
OWA from public terminals - and also makes the user account vulnerable to DoS
attacks because RSA accounts will be disabled after several failed
login-attempts.
RSA authentication manager (ACE/server) doesn`t provide an auto reset
function of the locked account as in Windows.
An RSA admin has to manually re-anble the user account!


3) Comments and questions:

The RSA cookie/protection is not stable/secure - or wrong setup!?
Any fixes available?

Maybe these issues are specific to my "by-the-book" implementation - or
maybe I have over-seen some important setup/configurations?
Maybe the issues is only related to some browser versions and
configurations...??

Has anyone else noticed these issues and are there any fixes avaliable?

Some extra info:

I have found this old thing - that somehow directs the same problem:

http://www.securityfocus.com/bid/4390

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0507

But not found any fixes - I think!


Will Microsoft take care of these issues?

--
LAN Hotfixer
.