This week RISE welcomed Harrison Neal (PatchAdvisor) via video conference to talk about two vulnerabilities he discovered in the RSA authentication agent for IIS. Thanks to R&K Solutions for hosting the event!

Harrison’s was a tale of accidental findings, curiosity, and persistence. Some odd language he found while working on an unrelated task provided a tantalizing thread to pull. Over the next few months, he spent his spare time fuzzing, analyzing encryption schemes, and reading up on named pipes to convert that accidental finding into two CVEs: CVE-2018-1232 and CVE-2018-1234.

The brief exemplified many qualities of successful vulnerability analysis. A curious eye caught an oddly-worded statement. Data gathering ensued using a methodical approach and a common tool set to look for known vulnerabilities, patterns, or unusual signatures as starting points for research. Researching vendor documentation to understand the systems and look for additional attack vectors. Perhaps most importantly – persistence in spending many hours of personal time in trial-and-error working towards a solution. Even if his work hadn’t resulted in two findings, Harrison likely picked up additional knowledge and techniques in the journey for future application.

RISE thanks Harrison for sharing his story with our members. Do you have an idea for an upcoming meeting? Share your stories or expertise! Reach out to us at roanokeinfosec@gmail.com.