|
|
|
Security Updates and Reflection for Secure IT 7.0 or Higher
Technical Note 2288
Last Reviewed 14-Aug-2008
Applies To
Reflection for Secure IT UNIX Client version 7.0 or higher
Reflection for Secure IT UNIX Server version 7.0 or higher
Reflection for Secure IT Windows Server version 7.0 or higher
Reflection for Secure IT Windows Client version 7.0 or higher
Summary
Technical Note 2288
Last Reviewed 14-Aug-2008
Applies To
Reflection for Secure IT UNIX Client version 7.0 or higher
Reflection for Secure IT UNIX Server version 7.0 or higher
Reflection for Secure IT Windows Server version 7.0 or higher
Reflection for Secure IT Windows Client version 7.0 or higher
Summary
This technical note describes security issues related to security features (including FIPS validation) in Reflection for Secure IT 7.0 or higher. If you use these features, you should consult this technical note on a regular basis for any updated information regarding these features.
IMPORTANT: The security for all of the Reflection products using the Reflection security features depends upon the security of the operating system, host, and network environment. Attachmate strongly recommends that you evaluate and implement all relevant security service packs, updates, and patches recommended by your operating system, host, and network manufacturers.
This note is organized into the following topics:
Reflection for Secure IT and Security
FIPS (Federal Information Processing Standard) Validation and Reflection for Secure IT 7.0
Security Alerts and Advisories
Security and Your Operating System
Security and Other Reflection Products
FIPS (Federal Information Processing Standard) Validation and Reflection for Secure IT 7.0
Security Alerts and Advisories
Security and Your Operating System
Security and Other Reflection Products
Reflection for Secure IT and Security
This section provides information about Reflection for secure IT and security.
Reporting a Potential Security Vulnerability to Attachmate
If you are aware of a potential security vulnerability in Attachmate's Reflection products that is not listed on this document, see Technical Note 1890 for details about reporting the issue to the Attachmate Computer Emergency Response Team (CERT).
Current Version
For information about the current version of Attachmate products, see the Product Support Lifecycle at http://support.attachmate.com/programs/lifecycle/.
Product Updates
Maintained customers are eligible to download the latest product releases from the Attachmate Download Library web site: https://download.attachmate.com/Upgrades/. For more information about logging into and using the Download Library, see Technical Note 0200.
FIPS (Federal Information Processing Standard) Validation and Reflection for Secure IT 7.0
The following version of the Attachmate Reflection cryptographic library, used in Reflection for Secure IT version 7.0, has received FIPS 140-2 validation from the National Institute of Standards and Technology (NIST), certificate #766. (When operated in FIPS mode.)
| Cryptographic Library: rssccm.dll |
Software Version |
Operating System* |
| 1.0.170 |
6.1 SP2 or higher |
Windows (Client) |
| 1.0.170 |
7.0 |
Windows (Server and Client) |
* The FIPS 140-2 validation level varies depending on many factors, including the operating system (not all operating systems are currently eligible for Level 2). For validation level details, and to view the certificate and security policy, see the Computer Security Division: Computer Security Resource Center on the NIST website at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2007.htm/#766 (Cert# 766).
Security Alerts and Advisories
The following security alerts and advisories may affect your Reflection installation, or the security of your operating system or network environment. We recommend that you review these alerts and advisories.
Note: This information is non-inclusive—it does not attempt to address all security issues that may affect your system.
| Alert |
Vulnerability Summary CVE-2008-1657 |
| Date Posted |
July 2008 |
| Summary |
OpenSSH 4.4 and other versions before 4.9 allows remote authenticated users to bypass the sshd_config ForceCommand directive by modifying the .ssh/rc session file. |
| Product Status |
The "ForceCommand" keyword is no longer supported as of Reflection for Secure IT UNIX Server version 7.0 SP1 |
| Additional Information |
For details, see the National Vulnerability Database web site at http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1657. |
| Alert |
Vulnerability Summary CVE-2008-1483 |
| Date Posted |
July 2008 |
| Summary |
OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs. |
| Product Status |
This issue is resolved in Reflection for Secure IT UNIX Client version 7.0 SP1 |
| Additional Information |
For details, see the National Vulnerability Database web site at http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1483. |
| Alert |
Vulnerability Summary CVE-2007-3108 |
| Date Posted |
July 2008 |
| Summary |
OpenSSL cyptography vulnerability that could allow and RSA key to be stolen. |
| Product Status |
This issue is resolved in Reflection for Secure IT UNIX Client and Server version 7.0 SP1 |
| Additional Information |
For details, see the National Vulnerability Database web site at http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3108. |
| Alert |
Vulnerability Summary CVE-2006-2937 |
| Date Posted |
July 2008 |
| Summary |
Denial of Service attack using malformed ASN.1 packets. |
| Product Status |
This issue is resolved in Reflection for Secure IT UNIX Client and Server version 7.0 SP1 |
| Additional Information |
For details, see the National Vulnerability Database web site at http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-2937. |
| Alert |
Vulnerability Summary CVE-2006-2940 |
| Date Posted |
July 2008 |
| Summary |
Denial of Service attack using parasitic public keys. |
| Product Status |
This issue is resolved in Reflection for Secure IT UNIX Client and Server version 7.0 SP1 |
| Additional Information |
For details, see the National Vulnerability Database web site at http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-2940. |
| Alert |
Vulnerability Summary CVE-2007-4752 |
| Date Posted |
September 2007 |
| Summary |
ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted. |
| Product Status |
Attachmate SSH clients (including Reflection for Secure IT and Reflection X) do not have this OpenSSH vulnerability. Note: Reflection for Secure IT UNIX Clients versions 6.x and 7.0 support trusted X11 forwarding, but do not have the vulnerability. |
| Additional Information |
For details, see the National Vulnerability Database web site at http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4752. |
Security and Your Operating System
Security is dependent on a number of factors, one of which is the security of the operating system. This section provides links to security information found on the web sites of common operating systems. This information is non-inclusive—it does not include all operating systems, nor does it include all links to information that may impact the security of your operating system.
Microsoft: http://www.microsoft.com/technet/security/current.asp
Debian Linux: http://www.debian.org/security/
HP (Compaq): http://www1.itrc.hp.com/service/home/home.do (Note: This site requires registration.)
Red Hat Linux: http://www.redhat.com/support/alerts/
Sun Microsystems: http://sunsolve.sun.com/pub-cgi/show.pl?target=security/sec
IBM: http://www-1.ibm.com/servers/eserver/support/zseries/
Security and Other Reflection Products
The following table lists security information regarding other Reflection products.
| Product Name |
Security Technical Note |
| All Reflection Products |
1700 |
| Reflection for the Web |
1704 |
| Reflection for HP Reflection for UNIX and OpenVMS Reflection for ReGIS Graphics Reflection for IBM Reflection X |
1708 |
| Reflection for Secure IT Windows Server 6.x or earlier Reflection for Secure IT UNIX Server 6.x or earlier Reflection for Secure IT UNIX Client 6.x or earlier F-Secure SSH |
1910 |
Notice: This technical note is updated from time to time and is provided for informational purposes only. Attachmate makes no representation or warranty that the functions contained in our software products will meet your requirements or that the operation of our software products will be interruption or error free. Attachmate EXPRESSLY DISCLAIMS ALL WARRANTIES REGARDING OUR SOFTWARE INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
