Security Updates and Reflection
Technical Note 1708
Last Reviewed 25-Jun-2010
Applies To
Reflection for HP version 13.0 or higher
Reflection for UNIX and OpenVMS version 13.0 or higher
Reflection for ReGIS Graphics version 13.0 or higher
Reflection for IBM version 13.0 or higher
Reflection X version 13.0 or higher
Summary
This technical note discusses security issues related to Reflection security features. If you use these features, you should consult this technical note on a regular basis for any updated information regarding these features.
IMPORTANT: The security for all of the Reflection products using the Reflection security features depends upon the security of the operating system, host, and network environment. Attachmate strongly recommends that you evaluate and implement all relevant security service packs, updates, and patches recommended by your operating system, host, and network manufacturers.
Reflection and Security
This section provides information about Reflection products and security.
The following table lists security information regarding other Reflection products.
Product Name
|
Security Technical Note
|
All Reflection Products
|
1700
|
Reflection 2008
|
2502
|
Reflection for the Web
|
1704
|
Reflection for Secure IT 7.0 or Higher
|
2288
|
Reporting a Potential Security Vulnerability to Attachmate
If you are aware of a potential security vulnerability in Attachmate's Reflection products that is not listed on this document, see Technical Note 1890 for details about reporting the issue to the Attachmate Computer Emergency Response Team (CERT).
Current Version
For information about the current version of Attachmate products, see the Product Support Lifecycle at http://support.attachmate.com/programs/lifecycle/.
Product Updates
To determine if any updates are available for the current version of your Reflection product, see Technical Note 1619, Reflection Service Pack Topics.
FIPS (Federal Information Processing Standards) Validation and Reflection
Reflection products version 13.0.4–14.x use the Attachmate Crypto Module, which has received FIPS 140-2 validation from the National Institute of Standards and Technology (NIST). To view the certificate and security policy, see the NIST website at: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2007.htm#766.
The SSL/TLS, SSH, and Kerberos Client security features of Reflection version 12.0.3 have received FIPS 140-2 validation from the National Institute of Standards and Technology (NIST). To view the certificate and security policy, see the Computer Security Division: Computer Security Resource Center on the NIST website at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2005.htm.
For information about receiving the FIPS-validated product or update, contact Attachmate Technical Support. For contact information, see http://support.attachmate.com/contact/.
Department of Defense (DoD) Public Key Enabled (PKE) Certification
The following Reflection applications are certified as DOD PKI Interoperable:
Reflection for Secure IT Windows Client version 6.1 SP2, SP3, and SP4
Reflection for HP version 14.0 SP2, SP3, and SP4
Reflection for UNIX and OpenVMS version 14.0 SP2, SP3, and SP4
Reflection for ReGIS Graphics version 14.0 SP2, SP3, and SP4
Reflection for IBM version 14.0 SP4
Reflection X version 14.0 SP3 and SP4
Reflection FTP Client version 14.0 SP3 and SP4
To view the certificates, see the Joint Interoperability Test Command's (JITC) Department of Defense (DoD) Public Key Enabled (PKE) Application Status Web page at http://jitc.fhu.disa.mil/pki/pke_lab/app_testing/application_status.html.
Security Alerts and Advisories
The following security alerts and advisories may affect your Reflection installation, or the security of your operating system or network environment. We recommend that you review these alerts and advisories.
Note: This information is non-inclusive—it does not attempt to address all security issues that may affect your system.
Alert
|
OpenSSL cryptographic message syntax vulnerability CVE-2010-742
|
Date Posted
|
June 2010
|
Summary
|
The Cryptographic Message Syntax (CMS) implementation in crypto/cms/cms_asn1.c in OpenSSL before 0.9.8o and 1.x before 1.0.0a does not properly handle structures that contain OriginatorInfo, which allows context-dependent attackers to modify invalid memory locations or conduct double-free attacks, and possibly execute arbitrary code, via unspecified vectors.
|
Product Status
|
Attachmate Reflection products are not subject to this vulnerability.
|
Additional Information
|
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0742.
|
Alert
|
OpenSSL RSA verification recovery vulnerability CVE-2010-1633
|
Date Posted
|
June 2010
|
Summary
|
RSA verification recovery in the EVP_PKEY_verify_recover function in OpenSSL 1.x before 1.0.0a, as used by pkeyutl and possibly other applications, returns uninitialized memory upon failure, which might allow context-dependent attackers to bypass intended key requirements or obtain sensitive information via unspecified vectors.
|
Product Status
|
Attachmate Reflection products are not subject to this vulnerability.
|
Additional Information
|
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1633.
|
Alert
|
MD2 signed certificate hash collision vulnerability CVE-2009-2409
|
Date Posted
|
June 2010
|
Summary
|
Hash collisions in MD2 and MD5 signed certificate signatures have been publicly demonstrated in controlled research laboratories, leading to potential user or server certificate spoofing attacks.
|
Product Status
|
Reflection products listed in the Applies To section of this technical note are subject to this vulnerability, although the computation time to generate these certificates is still considered unfeasibly large. Beginning in version 14.1 use of MD2 or MD5 signed intermediate Certification Authority certificates is no longer allowed by default, but can be configured if needed for legacy certificate chain validation.
|
Additional Information
|
This issue is similar to the vulnerability described in CVE-2009-2409, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2409.
|
Alert
|
Null Truncation in X.509 Common Name Vulnerability CVE-2009-2408
|
Date Posted
|
June 2010
|
Summary
|
Attackers could acquire a server certificate containing NULL (\0) characters in the Subject's Common Name field of an x.509 certificate issued by a legitimate Certificate Authority that could allow man-in-the-middle attacks that spoof legitimate servers.
|
Product Status
|
Reflection products listed in the Applies To section of this technical note are subject to this vulnerability. Beginning in version 14.1 all attribute fields used to authenticate the host (namely, the Subject Common Name and SubjectAlternativeName fields) are checked for illegal (non-printable) characters, and the certificate is rejected if any are found.
|
Additional Information
|
This issue is similar to the vulnerability described in CVE-2009-2408, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2408.
|
Alert
|
Vulnerability Advisory CPNI-957037
|
Date Posted
|
June 2010 - Modified
October 2008
|
Summary
|
A design flaw in the SSH protocol use of block ciphers in cipher block chaining mode could allow an attacker to recover up to four bytes of plaintext. Although the severity of the attack is considered high, the likelihood of a successful attack is considered low and results in terminating the user’s SSH connection.
|
Product Status
|
Reflection 14.1 products continue to offer AES counter-mode ciphers, and now also prevent premature disconnection during password or keyboard-interactive authentication. For more information about how this vulnerability affects Attachmate products, see Technical Note 2398.
|
Additional Information
|
For details, see the Combined Security Incident Response Team - United Kingdom web site at http://www.cpni.gov.uk/Products/3716.aspx or the US-CERT web site at http://www.kb.cert.org/vuls/id/958563.
|
Alert
|
Reflection ActiveX Control 'ControlID' Buffer Overflow Vulnerability
|
Date Posted
|
June 2010
|
Summary
|
The ActiveX controls in Reflection for UNIX and OpenVMS, Reflection ReGIS Graphics, and Reflection for HP are subject to a buffer-overflow vulnerability. Successful exploits may allow an attacker to execute arbitrary code in the context of the user running the affected application. Failed attempts may result in denial-of-service conditions.
|
Product Status
|
Reflection products listed in the Applies To section of this technical note are subject to this vulnerability. This issue has been fixed In version 14.1. If you cannot upgrade to 14.1, maintained customers can contact Attachmate Technical Support for hotfix information for Reflection 14.0 SP7 products.
|
Additional Information
|
Attachmate is aware of exploit scripts posted to known hacker web sites, but a US-CERT vulnerability notice is not yet available.
|
Alert
|
Vulnerability Summary for CVE-2007-6428
|
Date Posted
|
June 2010
|
Summary
|
The ProcGetReservedColormapEntries function in the TOG-CUP extension in X.Org Xserver before 1.4.1 allows context-dependent attackers to read the contents of arbitrary memory locations using a request containing a 32-bit value that is improperly used as an array index.
|
Product Status
|
Issue has been fixed in Reflection X 14.1.
|
Additional Information
|
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6428.
|
Alert
|
Vulnerability Summary for CVE-2007-6429
|
Date Posted
|
June 2010
|
Summary
|
Multiple integer overflows in X.Org Xserver before 1.4.1 allow context-dependent attackers to execute arbitrary code using (1) a GetVisualInfo request containing a 32-bit value that is improperly used to calculate an amount of memory for allocation by the EVI extension, or (2) a request containing values related to pixmap size that are improperly used in management of shared memory by the MIT-SHM extension.
|
Product Status
|
Issue has been fixed in Reflection X 14.1.
|
Additional Information
|
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6429.
|
Alert
|
Vulnerability Summary for CVE-2008-0006
|
Date Posted
|
June 2010
|
Summary
|
Buffer overflow in (1) X.Org Xserver before 1.4.1, and (2) the libfont and libXfont libraries on some platforms including Sun Solaris, allows context-dependent attackers to execute arbitrary code using a PCF font with a large difference between the last col and first col values in the PCF_BDF_ENCODINGS table.
|
Product Status
|
Issue has been fixed in Reflection X 14.1.
|
Additional Information
|
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0006.
|
Alert
|
Vulnerability Summary for CVE-2008-1377
|
Date Posted
|
June 2010
|
Summary
|
The (1) SProcRecordCreateContext and (2) SProcRecordRegisterClients functions in the Record extension and the (3) SProcSecurityGenerateAuthorization function in the Security extension in the X server 1.4 in X.Org X11R7.3 allow context-dependent attackers to execute arbitrary code through requests with crafted length values that specify an arbitrary number of bytes to be swapped on the heap, which triggers heap corruption.
|
Product Status
|
Issue has been fixed in Reflection X 14.1.
|
Additional Information
|
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1377.
|
Alert
|
Vulnerability Summary for CVE-2008-2360
|
Date Posted
|
June 2010
|
Summary
|
Integer overflow in the AllocateGlyph function in the Render extension in the X server 1.4 in X.Org X11R7.3 allows context-dependent attackers to execute arbitrary code via unspecified request fields that are used to calculate a heap buffer size, which triggers a heap-based buffer overflow.
|
Product Status
|
Issue has been fixed in Reflection X 14.1.
|
Additional Information
|
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2360.
|
Alert
|
Vulnerability Summary for CVE-2008-2361
|
Date Posted
|
June 2010
|
Summary
|
Integer overflow in the ProcRenderCreateCursor function in the Render extension in the X server 1.4 in X.Org X11R7.3 allows context-dependent attackers to cause a denial of service (daemon crash) via unspecified request fields that are used to calculate a glyph buffer size, which triggers a dereference of unmapped memory.
|
Product Status
|
Issue has been fixed in Reflection X 14.1.
|
Additional Information
|
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2361.
|
Alert
|
Vulnerability Summary for CVE-2008-2362
|
Date Posted
|
June 2010
|
Summary
|
Multiple integer overflows in the Render extension in the X server 1.4 in X.Org X11R7.3 allow context-dependent attackers to execute arbitrary code using a (1) SProcRenderCreateLinearGradient, (2) SProcRenderCreateRadialGradient, or (3) SProcRenderCreateConicalGradient request with an invalid field specifying the number of bytes to swap in the request data, which triggers heap memory corruption.
|
Product Status
|
Issue has been fixed in Reflection X 14.1.
|
Additional Information
|
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2362.
|
Alert
|
US-CERT Technical Cyber Security Alert TA10-2131A
|
Date Posted
|
May 2010
|
Summary
|
A remote code execution vulnerability exists in the way that Microsoft Visual Basic for Applications searches for ActiveX controls, as described in Microsoft Security Bulletin MS10-031 and Microsoft Security Advisory KB974945.
|
Product Status
|
Reflection products listed in the Applies To section of this technical note contain ActiveX controls that are subject to this vulnerability.
If you have any Microsoft Office products installed and use Microsoft Update to keep your systems secure, the Microsoft patches as described in Microsoft Security Bulletin MS10-031 (http://www.microsoft.com/technet/security/bulletin/ms10-031.mspx) will automatically update the vulnerable VBE6.DLL file used by Reflection applications.
The patch for systems that are not updated automatically using Microsoft Update can be downloaded from http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=436a8a66-352e-44d1-a610-c825083ad24a
Reflection version 14.1 installs the non-vulnerable VBE6.DLL, version 6.5.10.52.
|
Additional Information
|
For details, see the US-CERT web site at http://www.us-cert.gov/cas/techalerts/TA10-131A.html.
|
Alert
|
Drawing Object Vulnerability CVE-2007-1747
|
Date Posted
|
October 2009
|
Summary
|
Reflection products with VBA features (Reflection 2008, Reflection 2007, and Reflection 14.x and earlier) include redistributable Microsoft VBA 6.4 files. There are reported vulnerabilities specific to how Microsoft Office uses these files. To resolve these vulnerabilities, Microsoft recommends applying an update to Microsoft Office.
|
Product Status
|
Attachmate Reflection products do not have this vulnerability.
|
Additional Information
|
For details, see Microsoft Security Bulletin MS07-025 at http://www.microsoft.com/technet/security/bulletin/ms07-025.mspx.
|
Alert
|
US-CERT Technical Cyber Security Alert TA09-209A
|
Date Posted
|
28-July-2009
|
Summary
|
Vulnerabilities present in the Microsoft Active Template Library (ATL) can cause vulnerabilities in the resulting ActiveX controls and COM components, as described in Microsoft Security Bulletin MS09-035 and Microsoft Security Advisory 973882. Any ActiveX control or COM component that was created with a vulnerable version of the ATL may be vulnerable.
|
Product Status
|
Reflection products listed in the Applies To section of this technical note contain ActiveX controls that are subject to this vulnerability. Beginning in version 14.0 Service Pack 7, the Reflection products now contain the non-vulnerable ATL.
Be sure to apply all Microsoft ATL critical patches to your systems as described in Microsoft Security Bulletin MS09-035, http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx.
|
Additional Information
|
For details, see the US-CERT web site at http://www.us-cert.gov/cas/techalerts/TA09-209A.html.
|
Alert
|
Vulnerability Summary CVE-2007-4752
|
Date Posted
|
September 2007
|
Summary
|
SSH in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted.
|
Product Status
|
Attachmate SSH clients (including Reflection for Secure IT and Reflection X) do not have this OpenSSH vulnerability. Note: Reflection for Secure IT UNIX Clients versions 6.x and 7.0 support trusted X11 forwarding, but do not have the vulnerability.
|
Additional Information
|
For details, see the National Vulnerability Database web site at http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4752.
|
Alert
|
US-CERT Vulnerability Note VU #419344
|
Date Posted
|
April 2007
|
Summary
|
An authenticated user may be able to execute arbitrary code on a host running kadmind. Successful exploitation can compromise the Kerberos key database and host security on the host running these programs. (kadmind and the KDC typically run as root.) Unsuccessful exploitation attempts will likely result in the affected program crashing. Third-party applications calling either the RPC library or the GSS-API library provided with MIT krb5 may be vulnerable.
|
Product Status
|
Attachmate products (including NetIQ products) are not vulnerable.
|
Additional Information
|
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/419344.
|
Alert
|
US-CERT Vulnerability Note VU #704024
|
Date Posted
|
April 2007
|
Summary
|
A buffer overflow exists in the krb5_klog_syslog() function used by kadmind and the KDC. An authenticated user may be able to execute arbitrary code on a host running kadmind. An authenticated user may be able to execute arbitrary code on KDC host. Also, a user controlling a Kerberos realm sharing a key with the target realm may be able to execute arbitrary code on a KDC host. Successful exploitation can compromise the Kerberos key database and host security on the host running these programs. (kadmind and the KDC typically run as root.) Unsuccessful exploitation attempts will likely result in the affected program crashing. Third-party applications calling krb5_klog_syslog() may also be vulnerable.
|
Product Status
|
Attachmate products (including NetIQ products) are not vulnerable.
|
Additional Information
|
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/704024.
|
Alert
|
US-CERT Vulnerability Note VU #220816
|
Date Posted
|
April 2007
|
Summary
|
A remotely-exploitable root vulnerability is present in an application which ships in the krb5 sources.
|
Product Status
|
Attachmate products (including NetIQ products) are not vulnerable.
|
Additional Information
|
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/220816.
|
Alert
|
US-CERT Vulnerability Note VU #831452: Kerberos administration daemon may free uninitialized pointers
|
Date Posted
|
April 2007
|
Summary
|
An unauthenticated user may cause execution of arbitrary code in the Kerberos administration daemon, "kadmind", by causing it to free uninitialized pointers which should have been initialized by the GSS-API library. Compromise of the Kerberos key database may result. Third-party server applications written using the GSS-API library provided with MIT krb5 may also be vulnerable. Affected releases are krb5-1.5 through krb5-1.5.1.
|
Product Status
|
Attachmate products (including NetIQ products) are not vulnerable.
|
Additional Information
|
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/831452.
|
Alert
|
US-CERT Vulnerability Note VU #845620: RSA Public Exponent 3
|
Date Posted
|
September 2006
|
Summary
|
Multiple RSA implementations fail to properly handle signatures. This applies to Secure Shell and SSL/TLS encrypted connections.
|
Product Status
|
For more information about how this vulnerability affects Reflection products, see Technical Note 2137.
|
Additional Information
|
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/845620.
|
Alert
|
US-CERT Vulnerability Note VU#680620
|
Date Posted
|
July 14, 2005
|
Summary
|
Buffer overflow vulnerability in versions 1.2.1 and 1.2.2 of the zlib data compression library inflate() routine.
|
Product Status
|
The Reflection Secure Shell client and Reflection X product use zlib version 1.1.4, which is not subject to this vulnerability.
|
Additional Information
|
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/680620.
|
Alert
|
Announcement of Successful Cryptanalytic Attack on SHA-1
|
Summary
|
Three Chinese cryptanalysts from Shandong University have recently documented a successful cryptanalytic attack on the SHA-1 algorithm.
|
Product Status
|
Reflection products primarily use SHA-1 to create HMACs (Keyed Hashing for Message Authentication), for verification of message integrity. According to Schneier, because hash collisions are not a prominent concern, this use of SHA-1 is not affected by the cryptanalytic attack. (For further details, read the blog posting at http://www.schneier.com/blog/archives/2005/02/sha1_broken.html.)
In the next several versions of products that use the SHA-1 algorithm, all vendors—including Attachmate, will likely move to phase out the use of SHA-1 hashes for use in digital signatures and add support for SHA-256 and other stronger hashing algorithms.
|
Additional Information
|
Bruce Schneier, the author of "Applied Cryptography," discusses this announcement on his blog, Schneier on Security. For commentary on this topic, see Mr. Schneier's blog at http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html.
|
Alert
|
Microsoft VBA Security Update
|
Summary
|
Microsoft has identified a critical security issue with Visual Basic for Applications (VBA).
|
Product Status
|
For information about this issue, see Technical Note 1385.
|
Security and Your Operating System
Security is dependent on a number of factors, one of which is the security of the operating system. This section provides links to security information found on the web sites of common operating systems. This information is non-inclusive—it does not include all operating systems, nor does it include all links to information that may impact the security of your operating system.
Microsoft: http://www.microsoft.com/technet/security/current.asp
Debian Linux: http://www.debian.org/security/
HP (Compaq): http://www1.itrc.hp.com/service/home/home.do (Note: This site requires registration.)
Red Hat Linux: http://www.redhat.com/support/alerts/
Sun Microsystems: http://sunsolve.sun.com/pub-cgi/show.pl?target=security/sec
IBM: http://www-1.ibm.com/servers/eserver/support/zseries/
Notice: This technical note is updated from time to time and is provided for informational purposes only. Attachmate makes no representation or warranty that the functions contained in our software products will meet your requirements or that the operation of our software products will be interruption or error free. Attachmate EXPRESSLY DISCLAIMS ALL WARRANTIES REGARDING OUR SOFTWARE INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Related Technical Notes
| 1385 |
Microsoft VBA Security Update and Reflection Products |
| 1619 |
Reflection Service Pack Topics |
| 1700 |
Reflection Security Topics |
| 1704 |
Security Updates and Reflection for the Web |
| 1890 |
Reporting a Potential Security Vulnerability to Attachmate |
| 2127 |
Reflection 14.0 Service Pack 7 (SP7): Fixes, Features, and File Download |
| 2137 |
Attachmate Security Updates for US-CERT Vulnerability #845620: RSA Public Exponent 3 |
| 2288 |
Security Updates and Reflection for Secure IT 7.x |
| 2398 |
Attachmate Security Update for CSIRTUK Vulnerability #CPNI-957: Plaintext Recovery Attack Against SSH |
| 2502 |
Security Updates and Reflection 2008 |
| 9990 |
Technical Notes for Reflection for HP, UNIX and OpenVMS |
| 9991 |
Reflection for IBM Technical Notes |
| 9992 |
Reflection X Technical Notes |
