|
|
|
Security Updates and Reflection
Technical Note 1708
Last Reviewed 11-Jan-2008
Applies To
Reflection for HP version 11.0 or higher
Reflection for UNIX and OpenVMS version 11.0 or higher
Reflection for ReGIS Graphics version 11.0 or higher
Reflection for IBM version 11.0 or higher
Reflection X version 11.0 or higher
Reflection for Secure IT Windows Client version 6.x
Summary
Technical Note 1708
Last Reviewed 11-Jan-2008
Applies To
Reflection for HP version 11.0 or higher
Reflection for UNIX and OpenVMS version 11.0 or higher
Reflection for ReGIS Graphics version 11.0 or higher
Reflection for IBM version 11.0 or higher
Reflection X version 11.0 or higher
Reflection for Secure IT Windows Client version 6.x
Summary
This technical note discusses security issues related to Reflection security features. If you use these features, you should consult this technical note on a regular basis for any updated information regarding these features.
IMPORTANT: The security for all of the Reflection products using the Reflection security features depends upon the security of the operating system, host, and network environment. Attachmate strongly recommends that you evaluate and implement all relevant security service packs, updates, and patches recommended by your operating system, host, and network manufacturers.
Reflection and Security
This section provides information about Reflection products and security.
The following table lists security information regarding other Reflection products.
| Product Name |
Security Technical Note |
| All Reflection Products |
1700 |
| Reflection for the Web |
1704 |
| Reflection for Secure IT 7.0 or Higher |
2288 |
| Reflection for Secure IT Windows Server 6.x Reflection for Secure IT UNIX Server 6.x Reflection for Secure IT UNIX Client 6.x F-Secure SSH |
1910 |
Reporting a Potential Security Vulnerability to Attachmate
If you are aware of a potential security vulnerability in Attachmate's Reflection products that is not listed on this document, see Technical Note 1890 for details about reporting the issue to the Attachmate Computer Emergency Response Team (CERT).
Current Version
For information about the current version of Attachmate products, see the Product Support Lifecycle at http://support.attachmate.com/programs/lifecycle/.
Product Updates
To determine if any updates are available for the current version of your Reflection product, see Technical Note 1619, Reflection Patch Topics.
FIPS (Federal Information Processing Standards ) Validation and Reflection
Reflection products version 13.0.4–14.x use the Attachmate Crypto Module, which has received FIPS 140-2 validation from the National Institute of Standards and Technology (NIST). To view the certificate and security policy, see the NIST website at: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2007.htm#766.
The SSL/TLS, SSH, and Kerberos Client security features of Reflection version 12.0.3 have received FIPS 140-2 validation from the National Institute of Standards and Technology (NIST). To view the certificate and security policy, see the Computer Security Division: Computer Security Resource Center on the NIST website at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2005.htm.
For information about receiving the FIPS-validated product or update, contact Attachmate Technical Support. For contact information, see http://support.attachmate.com/contact/.
Department of Defense (DoD) Public Key Enabled (PKE) Certification
The following Reflection applications are certified as DOD PKI Interoperable:
Reflection for Secure IT Windows Client version 6.1 SP2, SP3, and SP4
Reflection for HP version 14.0 SP2, SP3, and SP4
Reflection for UNIX and OpenVMS version 14.0 SP2, SP3, and SP4
Reflection for ReGIS Graphics version 14.0 SP2, SP3, and SP4
Reflection for IBM version 14.0 SP4
Reflection X version 14.0 SP3 and SP4
Reflection FTP Client version 14.0 SP3 and SP4
Reflection for HP version 14.0 SP2, SP3, and SP4
Reflection for UNIX and OpenVMS version 14.0 SP2, SP3, and SP4
Reflection for ReGIS Graphics version 14.0 SP2, SP3, and SP4
Reflection for IBM version 14.0 SP4
Reflection X version 14.0 SP3 and SP4
Reflection FTP Client version 14.0 SP3 and SP4
To view the certificates, see the Joint Interoperability Test Command's (JITC) Department of Defense (DoD) Public Key Enabled (PKE) Application Status Web page at http://jitc.fhu.disa.mil/pki/appstatus.html.
Security Alerts and Advisories
The following security alerts and advisories may affect your Reflection installation, or the security of your operating system or network environment. We recommend that you review these alerts and advisories.
Note: This information is non-inclusive—it does not attempt to address all security issues that may affect your system.
| Alert |
Vulnerability Summary CVE-2007-4752 |
| Date Posted |
September 2007 |
| Summary |
SSH in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted. |
| Product Status |
Attachmate SSH clients (including Reflection for Secure IT and Reflection X) do not have this OpenSSH vulnerability. Note: Reflection for Secure IT UNIX Clients versions 6.x and 7.0 support trusted X11 forwarding, but do not have the vulnerability. |
| Additional Information |
For details, see the National Vulnerability Database web site at http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4752. |
| Alert |
US-CERT Vulnerability Note VU #419344 |
| Date Posted |
April 2007 |
| Summary |
An authenticated user may be able to execute arbitrary code on a host running kadmind. Successful exploitation can compromise the Kerberos key database and host security on the host running these programs. (kadmind and the KDC typically run as root.) Unsuccessful exploitation attempts will likely result in the affected program crashing. Third-party applications calling either the RPC library or the GSS-API library provided with MIT krb5 may be vulnerable. |
| Product Status |
Attachmate products (including NetIQ products) are not vulnerable. |
| Additional Information |
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/419344. |
| Alert |
US-CERT Vulnerability Note VU #704024 |
| Date Posted |
April 2007 |
| Summary |
A buffer overflow exists in the krb5_klog_syslog() function used by kadmind and the KDC. An authenticated user may be able to execute arbitrary code on a host running kadmind. An authenticated user may be able to execute arbitrary code on KDC host. Also, a user controlling a Kerberos realm sharing a key with the target realm may be able to execute arbitrary code on a KDC host. Successful exploitation can compromise the Kerberos key database and host security on the host running these programs. (kadmind and the KDC typically run as root.) Unsuccessful exploitation attempts will likely result in the affected program crashing. Third-party applications calling krb5_klog_syslog() may also be vulnerable. |
| Product Status |
Attachmate products (including NetIQ products) are not vulnerable. |
| Additional Information |
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/704024. |
| Alert |
US-CERT Vulnerability Note VU #220816 |
| Date Posted |
April 2007 |
| Summary |
A remotely-exploitable root vulnerability is present in an application which ships in the krb5 sources. |
| Product Status |
Attachmate products (including NetIQ products) are not vulnerable. |
| Additional Information |
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/220816. |
| Alert |
US-CERT Vulnerability Note VU #831452: Kerberos administration daemon may free uninitialized pointers |
| Date Posted |
April 2007 |
| Summary |
An unauthenticated user may cause execution of arbitrary code in the Kerberos administration daemon, "kadmind", by causing it to free uninitialized pointers which should have been initialized by the GSS-API library. Compromise of the Kerberos key database may result. Third-party server applications written using the GSS-API library provided with MIT krb5 may also be vulnerable. Affected releases are krb5-1.5 through krb5-1.5.1. |
| Product Status |
Attachmate products (including NetIQ products) are not vulnerable. |
| Additional Information |
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/831452. |
| Alert |
US-CERT Vulnerability Note VU #845620: RSA Public Exponent 3 |
| Date Posted |
September 2006 |
| Summary |
Multiple RSA implementations fail to properly handle signatures. This applies to Secure Shell and SSL/TLS encrypted connections. |
| Product Status |
For more information about how this vulnerability affects Reflection products, see Technical Note 2137. |
| Additional |
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/845620. |
| Alert |
US-CERT Vulnerability Notes VU#401660 and VU#580124 |
| Date Posted |
August 2006 |
| Summary |
MIT Kerberos 5 contains local privilege escalation vulnerabilities on Linux systems and in the ftpd and ksu application. |
| Product Status |
No versions of the Reflection Kerberos Client are subject to these privilege escalation vulnerabilities. The Reflection Kerberos Client is not based on the MIT code base and runs only on Microsoft Windows operating systems. |
| Additional |
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/401660 and http://www.kb.cert.org/vuls/id/580124. |
| Alert |
US-CERT Vulnerability Note VU#623332 |
| Date Posted |
July 21, 2005 |
| Summary |
MIT Kerberos 5 contains double free vulnerability in "krb5_recvauth()" function. |
| Product Status |
The Reflection Kerberos Client, included in Reflection for Secure IT Windows Client version 6.0, is not subject to the krb5_recvauth() vulnerability (VU#623332). The Kerberos Client is not based on the MIT code base and uses Microsoft Windows memory management routines. |
| Additional |
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/623332. |
| Alert |
US-CERT Vulnerability Note VU#680620 |
| Date Posted |
July 14, 2005 |
| Summary |
Buffer overflow vulnerability in versions 1.2.1 and 1.2.2 of the zlib data compression library inflate() routine. |
| Product Status |
The Reflection Secure Shell client and Reflection X product use zlib version 1.1.4, which is not subject to this vulnerability. |
| Additional |
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/680620. |
| Alert |
Multiple iDEFENSE Security Advisories/US-CERT Vulnerability Note VU#800829 |
| Date Posted |
July 07, 2005 |
| Summary |
Multiple vendor telnet client information disclosure vulnerablies. |
| Product Status |
Reflection Telnet, TN3270, TN3270E, TN5250, and Kerberized Telnet clients are not vulnerable to this issue. All of the above mentioned Reflection Telnet products use Microsoft Windows memory management routines, along with compile-time buffer overflow protection, and are not based on the affected BSD or MIT Telnet clients. |
| Additional |
For details about these vulnerabilities, see the iDefense or US-Cert articles listed below. iDefense: http://www.idefense.com/application/poi/display?id=260&type=vulnerabilities http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities US-CERT: http://www.kb.cert.org/vuls/id/800829 |
| Alert |
SSH and Address-harvesting Worms: Analysis of Potential for Damage |
| Summary |
In a recent paper (“Inoculating SSH Against Address-Harvesting Worms,” (http://nms.csail.mit.edu/projects/ssh/sshworm.pdf), MIT researchers have raised the possibility that a worm might make its way onto a system running SSH and spread swiftly by mining the contents of the known_hosts file, which is part of many SSH implementations. While this research presents some interesting findings, it does not point out any new vulnerabilities in SSH or any new methods of attack. Nevertheless, Attachmate thinks it’s important that our SSH customers understand the implications of this research and the ways in which they can protect their systems. Attachmate SSH products currently support mechanisms that can thwart the kind of automated attack hypothesized by MIT. These mechanisms include certificate authentication support, which obviates the need to store information on SSH hosts locally. The products also support strong, two-factor user authentication to protect against damage caused by password or user key theft. |
| Product Status |
We are committed to continuing to add protections to SSH in order to provide reasonable defenses against attackers. We will introduce more features to the products that offer customers the option of tightening down their SSH implementations so that an address-harvesting worm would be slowed or even discouraged. |
| Additional |
|
| Alert |
Announcement of Successful Cryptanalytic Attack on SHA-1 |
| Summary |
Three Chinese cryptanalysts from Shandong University have recently documented a successful cryptanalytic attack on the SHA-1 algorithm. |
| Product Status |
Reflection products primarily use SHA-1 to create HMACs (Keyed Hashing for Message Authentication), for verification of message integrity. According to Schneier, because hash collisions are not a prominent concern, this use of SHA-1 is not affected by the cryptanalytic attack. (For further details, read the blog posting at http://www.schneier.com/blog/archives/2005/02/sha1_broken.html.) In next several versions of products that use the SHA-1 algorithm, all vendors—including Attachmate, will likely move to phase out the use of SHA-1 hashes for use in digital signatures and add support for SHA-256 and other stronger hashing algorithms. |
| Additional |
Bruce Schneier, the author of "Applied Cryptography," discusses this announcement on his blog, Schneier on Security. For commentary on this topic, see Mr. Schneier's blog at http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html. |
| Alert |
US-CERT Technical Cyber Security Alert TA04-247A |
| Summary |
Vulnerabilities in MIT Kerberos 5. |
| Product Status |
The vulnerabilities described in Security Alert TA04-247A (VU#866472, VU#795632, VU#550464, and VU#350792) are not applicable to the Reflection Kerberos Client. Attachmate's Kerberos implementation uses Windows-based memory management routines and has been inspected to verify that this type of vulnerability is not present. |
| Additional |
For details see http://www.us-cert.gov/cas/techalerts/TA04-247A.html. |
| Alert |
US-CERT Vulnerability Note VU#686862 |
| Summary |
MIT Kerberos 5 krb5_aname_to_localname() contains several heap overflows. |
| Product Status |
The Reflection Kerberos Client is not subject to the krb5_aname_to_localname() vulnerabilities (VU#686862) because it contains client functionality only and does no mapping of principal name to username. |
| Additional |
For details, see http://www.kb.cert.org/vuls/id/686862. |
| Alert |
US-CERT Technical Cyber Security Alert TA04-104A |
| Summary |
Microsoft has released four security bulletins listing vulnerabilities that affect Microsoft Windows and its components. |
| Product Status |
Attachmate's SSH, Kerberos, and SSL/TLS encryption implementations may use one or more of the vulnerable components identified in Microsoft's Security Bulletins MS04-011 and MS04-012. Attachmate recommends that users download and apply the critical update patches available from Microsoft. For details, see http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx and http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx. Note: Patch MS04-011 replaces Microsoft patch MS04-007 described in US-CERT Advisory TA04-041A (see below). |
| Additional |
For details, see http://www.us-cert.gov/cas/techalerts/TA04-104A.html. |
| Alert |
US-CERT Technical Cyber Security Alert TA04-078A |
| Summary |
Multiple Vulnerabilities in OpenSSL. |
| Product Status |
Attachmate's SSH, Kerberos, and SSL/TLS encryption implementations use only the OpenSSL crypto library or the Microsoft CryptoAPI, which are not affected by the vulnerabilities above. The Attachmate implementations do not use the OpenSSL client, which is subject to the vulnerabilities. |
| Additional |
For details, see http://www.us-cert.gov/cas/techalerts/TA04-078A.html. |
| Alert |
US-CERT Technical Cyber Security Alert TA04-041A |
| Summary |
Multiple Vulnerabilities in Microsoft ASN.1 Library. |
| Product Status |
Attachmate's SSH, Kerberos, and SSL/TLS encryption implementations use the library identified by Microsoft as containing the ASN.1 vulnerabilities. Attachmate recommends that users download and apply the critical update patch available from Microsoft at: http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx |
| Additional |
For details, see http://www.us-cert.gov/cas/techalerts/TA04-041A.html. |
| Alert |
CERT Advisory CA-2003-26 |
| Summary |
Multiple Vulnerabilities in SSL/TLS Implementations. |
| Product Status |
Attachmate has inspected our Reflection Secure Shell Client (called OpenSSH Client in versions earlier than Reflection 13.0) and determined that it is not vulnerable to the issues addressed in this alert. The Reflection Secure Shell Client does not read untrusted ASN.1 data, use the OpenSSL ASN.1 code for signature verification, use or generate certificates, or use SSL. Reflection products that provide SSL/TLS encrypted connections use the Microsoft CryptoAPI provided SSL/TLS Client; therefore, Reflection is not subject to the SSL/TLS implementation vulnerabilities noted in this advisory. The following products provide SSL/TLS encrypted connections: Reflection for HP with NS/VT 8.0.6 or higher Reflection for UNIX and OpenVMS 8.0.6 or higher Reflection for IBM 8.0.6 or higher Reflection Suite for X 8.0.6 or higher * Reflection X 8.0.6 or higher * Reflection for the Multi-Host Enterprise versions 8.0.6 or higher (product components are listed above) * The Reflection NFS Client and Reflection X do not use SSL/TLS encrypted connections; however, Reflection X and Reflection Suite for X include Reflection for UNIX and OpenVMS. |
| Additional |
For details, see http://www.cert.org/advisories/CA-2003-26.html. |
| Alert |
CERT Advisory CA-2002-36 |
| Summary |
Vulnerabilities in SSH2 Implementations from Multiple Vendors. |
| Product Status |
Attachmate has tested our Reflection Secure Shell Client (called OpenSSH client in versions earlier than Reflection 13.0) with the provided test suite and found that it is not vulnerable to the SSH2 connection initialization, key exchange, and negotiation phase attacks. |
| Additional |
For details, see http://www.cert.org/advisories/CA-2002-36.html. |
| Alert |
CERT Advisory CA-2003-24 |
| Summary |
Buffer Management Vulnerability in OpenSSH. |
| Product Status |
Attachmate Reflection Secure Shell Client (called OpenSSH Client in versions earlier than Reflection 13.0) uses the buffers noted in this advisory. This vulnerability cannot easily be exploited in the client software, except to deny service; however, Attachmate released a patched version of the client beginning in Reflection 11.0.4. If you have questions about this issue, please contact Attachmate Technical Support. For contact information about requesting support, see http://support.attachmate.com/contact/. |
| Additional |
For details, see http://www.cert.org/advisories/CA-2003-24.html. |
| Alert |
Microsoft VBA Security Update |
| Summary |
Microsoft has identified a critical security issue with Visual Basic for Applications (VBA). |
| Product Status |
For information about this issue, see Technical Note 1385. |
| Alert |
Microsoft Security Bulletin MS02-050 |
| Summary |
The Reflection SSL/TLS Telnet encryption module uses the Microsoft CryptoAPI library for certificate validation and encryption. Microsoft Security Bulletin MS02-050 references this library, (see the Technical Details section of the Microsoft Security Bulletin). For details, see Microsoft Security Bulletin MS02-050 at: http://www.microsoft.com/technet/security/bulletin/MS02-050.mspx |
| Product Status |
This issue applies when using the SSL/TLS Telnet encryption in the following Reflection products. Note: With Reflection versions 8.0-10.x, the same version of Reflection Security Components must also be installed for SSL/TLS Telnet encryption support. Reflection for HP with NS/VT 8.0.6 or higher Reflection for UNIX and OpenVMS 8.0.6 or higher Reflection for IBM 8.0.6 or higher Reflection X versions 8.0.6 or higher Reflection Suite for X versions 8.0.6 or higher Reflection for the Multi-Host Enterprise 8.0.6 or higher (product components are listed above) |
Security and Your Operating System
Security is dependent on a number of factors, one of which is the security of the operating system. This section provides links to security information found on the web sites of common operating systems. This information is non-inclusive—it does not include all operating systems, nor does it include all links to information that may impact the security of your operating system.
Microsoft: http://www.microsoft.com/technet/security/current.asp
Debian Linux: http://www.debian.org/security/
HP (Compaq): http://www1.itrc.hp.com/service/home/home.do (Note: This site requires registration.)
Red Hat Linux: http://www.redhat.com/support/alerts/
Sun Microsystems: http://sunsolve.sun.com/pub-cgi/show.pl?target=security/sec
IBM: http://www-1.ibm.com/servers/eserver/support/zseries/
Notice: This technical note is updated from time to time and is provided for informational purposes only. Attachmate makes no representation or warranty that the functions contained in our software products will meet your requirements or that the operation of our software products will be interruption or error free. Attachmate EXPRESSLY DISCLAIMS ALL WARRANTIES REGARDING OUR SOFTWARE INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
