RSA considers the scenario presented by the report to be against recommended deployment practices rather than a security vulnerability within the product. From the scenario in the report, RSA believes the software token compromise described has two key requirements:
- The adversary must have access to a software token XML file.
- The file must have been created without a password.
The distribution of unprotected software token XML files (i.e. files created without a password) is the root-cause of the issue reported by Fox-IT. RSA recommends that customers follow
RSA SecurID® Software Token Security Best Practices to minimize risks during token provisioning. For more details, refer to the following advisory:
Important Statement from RSA Regarding RSA SecurID Software Token Provisioning Best Practices