|
|
|
Security Updates and Reflection for Secure IT 7.x
Technical Note 2288
Last Reviewed 02-Sep-2010
Applies To
Reflection for Secure IT UNIX Client version 7.0 or higher
Reflection for Secure IT UNIX Server version 7.0 or higher
Reflection for Secure IT Windows Server version 7.0 or higher
Reflection for Secure IT Windows Client version 7.0 or higher
Summary
Technical Note 2288
Last Reviewed 02-Sep-2010
Applies To
Reflection for Secure IT UNIX Client version 7.0 or higher
Reflection for Secure IT UNIX Server version 7.0 or higher
Reflection for Secure IT Windows Server version 7.0 or higher
Reflection for Secure IT Windows Client version 7.0 or higher
Summary
This technical note describes security issues related to security features (including FIPS validation) in Reflection for Secure IT 7.x. If you use these features, you should consult this technical note on a regular basis for any updated information regarding these features.
This note is organized into the following topics:
Reporting a Potential Security Vulnerability to Attachmate
Security Updates and Other Reflection Products
Reflection for Secure IT Versions 7.x
Security Alerts and Advisories for Reflection for Secure IT 7.x
Security and Your Operating System
Security Updates and Other Reflection Products
Reflection for Secure IT Versions 7.x
Security Alerts and Advisories for Reflection for Secure IT 7.x
Security and Your Operating System
IMPORTANT: The security for all of the Reflection products using the Reflection security features depends upon the security of the operating system, host, and network environment. Attachmate strongly recommends that you evaluate and implement all relevant security service packs, updates, and patches recommended by your operating system, host, and network manufacturers.
Reporting a Potential Security Vulnerability to Attachmate
If you are aware of a potential security vulnerability in Attachmate's Reflection products that is not listed on this document, see Technical Note 1890 for details about reporting the issue to the Attachmate Computer Emergency Response Team (CERT).
Security Updates and Other Reflection Products
The following table lists security information regarding other Reflection products.
| Product Name |
Security Technical Note |
| All Reflection Products |
1700 |
| Reflection 2011 or 2008 |
2502 |
| Reflection for the Web |
1704 |
| Reflection X |
1708 |
Reflection for Secure IT Version 7.x
For information about the current version of Attachmate products, see the Product Support Lifecycle at http://support.attachmate.com/programs/lifecycle/.
Product Updates
For information about available product updates, see the release notes for your product.
Maintained customers are eligible to download the latest product releases, service packs, and updates from the Attachmate Download Library web site: https://download.attachmate.com/Upgrades/. For more information about logging into and using the Download Library, see Technical Note 0200.
FIPS (Federal Information Processing Standard) Validation and Reflection 7.x
The following versions of the Attachmate Reflection cryptographic library, used in Reflection for validation from the National Institute of Standards and Technology (NIST), certificate #766 and #1027, when operated in FIPS mode.
| Reflection for Secure IT |
Reflection Software Version |
Operating System * |
Cryptographic Library |
Cryptographic Library Version |
| Server and Client |
7.1 ** |
Windows |
rssccm.dll |
2.0.40 |
| Server and Client |
7.1 ** |
Solaris, AIX, HP-UX, SuSE and Red Hat Enterprise Linux |
libssccm.so.2.0.40, libssccm.sl.2.0.40 |
2.0.40 2.0.40 |
| Server and Client |
7.0 *** |
Solaris, AIX, HP-UX, SuSE and Red Hat Enterprise Linux |
libssccm.so.2.0.40, libssccm.sl.2.0.40 |
2.0.40 |
| Server |
7.0 *** |
Windows |
rssccm.dll |
1.0.170 |
| Client |
6.1 SP2 through 7.0 |
Windows |
rssccm.dll |
1.0.170 |
* To view operating system details, as well as certificates and security policies, see the Computer Security Division: Computer Security Resource Center on the NIST website:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2007.htm/#766 (Cert #766)
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2008.htm/#1027 (Cert #1027)
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2008.htm/#1027 (Cert #1027)
** Version 7.1 adds support for the following new algorithms: AES 128, 192 and 256-bit counter mode (CTR), Arcfour 128 and 256-bit, SHA256, and SHA512. Reflection for Secure IT UNIX Client and Server (version 7.1.0.248 or higher) and Windows Server (version 7.1.211 or higher), available since 01-May-2009, more properly enforce FIPS 140-2 requirements. For more information, contact Attachmate Technical Support, http://support.attachmate.com/contact/.
*** For information on ensuring FIPS mode operation in Reflection version 7.0, see
- Technical Note 2273 – 7.0 Windows Server
- Technical Note 2375 – 7.0 SP1 Windows Server
- Technical Note 2389 – 7.0 SP1 UNIX
Security Alerts and Advisories for Reflection for Secure IT 7.x
The following security alerts and advisories may affect your Reflection installation, or the security of your operating system or network environment. We recommend that you review these alerts and advisories.
Note: This information is non-inclusive—it does not attempt to address all security issues that may affect your system.
| Alert |
Vulnerability CVE-2008-0172 |
| Date Posted |
September 2010 |
| Summary |
The get_repeat_type function in basic_regex_creator.hpp in the Boost regex library (Boost.Regex) in Boost 1.33 and 1.34 allows context-dependent attackers to cause a denial of service (NULL dereference and crash) via an invalid regular expression. |
| Product Status |
Beginning in version 7.2, this issue is resolved in Reflection for Secure IT UNIX Server and Client. Note: This issue does not affect Reflection for Secure IT Windows Server or Client. |
| Additional Information |
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0172. |
| Alert |
Vulnerability CVE-2010-1321 |
| Date Posted |
May 2010 |
| Summary |
Certain invalid GSS-API tokens can cause the MIT Kerberos 5 GSS-API acceptor (server) to crash due to a null pointer dereference in the GSS-API library. An authenticated remote attacker can cause a GSS-API application server using the MIT GSS-API library (including the Reflection for Secure IT UNIX Server) to crash by sending a malformed GSS-API token that induces a null pointer dereference. |
| Product Status |
Reflection for Secure IT UNIX Server and Client versions 7.1 or higher can dynamically link with the vulnerable library if GSSAPI authentication is enabled. If you use GSSAPI authentication you need to download (from MIT) and install a non-vulnerable version of the library, or apply the source code patch provided by MIT at http://web.mit.edu/kerberos/advisories/2010-005-patch.txt. |
| Additional Information |
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1321. |
| Alert |
Vulnerability CVE-2009-2408 |
| Date Posted |
March 2010 |
| Summary |
An attacker could get a legitimate Certification Authority to issue a valid certificate containing a '\0' (NULL) character in the Common Name (CN) or SubjectAlternativeName fields. The presence of a NULL character could result in a client accepting a server certificate that appears to be legitimate, but is not. |
| Product Status |
All versions of the PKI Services Manager properly handle a NULL character in a domain name in the CN field identifying the Subject of an X.509 certificate. This means that the service is not vulnerable to man-in-the-middle attackers to spoof arbitrary SSL or SSH servers using a crafted certificate issued by a legitimate Certification Authority (also known as the "Null Truncation in X.509 Common Name Vulnerability”). |
| Additional Information |
For details of a similar issue, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2408. |
| Alert |
Vulnerability Summary CVE-2009-2409 |
| Date Posted |
March 2010 |
| Summary |
Use of MD2 hashes in X.509 certificates might allow remote attackers to spoof intermediate CA certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. Note: The scope of this issue is currently limited because the amount of computation required is large. |
| Product Status |
This issue is resolved in Reflection PKI Services Manager version 1.1 by not accepting MD2 signed intermediate CA certificates by default. A new setting is available if you need to enable use of intermediate certificates signed using this deprecated hash algorithm. From the console, enable "Allow MD2 signed certificates". Or, in the configuration file, set AllowMD2Certificates = yes. |
| Additional Information |
For details of a similar issue, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2409. |
| Alert |
US-CERT Technical Cyber Security Alert TA09-209A |
| Date Posted |
28-July-2009 |
| Summary |
Vulnerabilities present in the Microsoft Active Template Library (ATL) can cause vulnerabilities in the resulting ActiveX controls and COM components, as described in Microsoft Security Bulletin MS09-035 and Microsoft Security Advisory 973882. Any ActiveX control or COM component that was created with a vulnerable version of the ATL may be vulnerable. |
| Product Status |
While Reflection for Secure IT Windows Server and Reflection for Secure IT Windows Client do not contain ActiveX controls or COM components, these products do contain the vulnerable ATL. However, beginning in version 7.1 Service Pack 2, these products now contain the non-vulnerable ATL. |
| Additional Information |
For details, see the US-CERT web site at http://www.us-cert.gov/cas/techalerts/TA09-209A.html. |
| Alert |
Vulnerability Advisory CPNI-957037 |
| Date Posted |
October 2008 |
| Summary |
A design flaw in the SSH protocol use of block ciphers in cipher block chaining mode could allow an attacker to recover up to four bytes of plaintext. Although the severity of the attack is considered high, the likelihood of a successful attack is considered low and results in terminating the user’s SSH connection. |
| Product Status |
For more information about how this vulnerability affects Attachmate products, see Technical Note 2398. |
| Additional Information |
For details, see the Combined Security Incident Response Team - United Kingdom web site at http://www.cpni.gov.uk/Products/3716.aspx. |
| Alert |
Vulnerability Summary CVE-2008-1657 |
| Date Posted |
July 2008 |
| Summary |
OpenSSH 4.4 and other versions before 4.9 allow remote authenticated users to bypass the sshd_config ForceCommand directive by modifying the .ssh/rc session file. |
| Product Status |
The "ForceCommand" keyword is no longer supported as of Reflection for Secure IT UNIX Server version 7.0 SP1. |
| Additional Information |
For details, see the National Vulnerability Database web site at http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1657. |
| Alert |
Vulnerability Summary CVE-2008-1483 |
| Date Posted |
July 2008 |
| Summary |
OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs. |
| Product Status |
This issue is resolved in Reflection for Secure IT UNIX Client version 7.0 SP1. |
| Additional Information |
For details, see the National Vulnerability Database web site at http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1483. |
| Alert |
Vulnerability Summary CVE-2007-3108 |
| Date Posted |
July 2008 |
| Summary |
OpenSSL cryptography vulnerability that could allow an RSA key to be stolen. |
| Product Status |
This issue is resolved in Reflection for Secure IT UNIX Client and Server version 7.0 SP1 |
| Additional Information |
For details, see the National Vulnerability Database web site at http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3108. |
| Alert |
Vulnerability Summary CVE-2006-2937 |
| Date Posted |
July 2008 |
| Summary |
Denial of Service attack using malformed ASN.1 packets. |
| Product Status |
This issue is resolved in Reflection for Secure IT UNIX Client and Server version 7.0 SP1. |
| Additional Information |
For details, see the National Vulnerability Database web site at http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-2937. |
| Alert |
Vulnerability Summary CVE-2006-2940 |
| Date Posted |
July 2008 |
| Summary |
Denial of Service attack using parasitic public keys. |
| Product Status |
This issue is resolved in Reflection for Secure IT UNIX Client and Server version 7.0 SP1. |
| Additional Information |
For details, see the National Vulnerability Database web site at http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-2940. |
| Alert |
Vulnerability Summary CVE-2007-4752 |
| Date Posted |
September 2007 |
| Summary |
ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted. |
| Product Status |
Attachmate SSH clients (including Reflection for Secure IT and Reflection X) do not have this OpenSSH vulnerability. Note: Reflection for Secure IT UNIX Clients versions 6.x and 7.0 support trusted X11 forwarding, but do not have the vulnerability. |
| Additional Information |
For details, see the National Vulnerability Database web site at http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4752. |
Security and Your Operating System
Security is dependent on a number of factors, one of which is the security of the operating system. This section provides links to security information found on the web sites of common operating systems. This information is non-inclusive—it does not include all operating systems, nor does it include all links to information that may impact the security of your operating system.
Microsoft: http://www.microsoft.com/technet/security/current.asp
Debian Linux: http://www.debian.org/security/
HP (Compaq): http://www1.itrc.hp.com/service/home/home.do (Note: This site requires registration.)
Red Hat Linux: http://www.redhat.com/support/alerts/
Sun Microsystems: http://sunsolve.sun.com/pub-cgi/show.pl?target=security/sec
IBM: http://www-1.ibm.com/servers/eserver/support/zseries/
Notice: This technical note is updated from time to time and is provided for informational purposes only. Attachmate makes no representation or warranty that the functions contained in our software products will meet your requirements or that the operation of our software products will be interruption or error free. Attachmate EXPRESSLY DISCLAIMS ALL WARRANTIES REGARDING OUR SOFTWARE INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
