Security Updates and Reflection 2014 or Reflection 2011
Technical Note 2502
Last Reviewed 20-May-2014
Applies To
Reflection 2014
Reflection for IBM 2014
Reflection for UNIX and OpenVMS 2014
Reflection for IBM 2011
Reflection for UNIX and OpenVMS 2011
Summary

This technical note describes security issues related to the Reflection 2014 or 2011 products listed in the Applies To section. If you rely on the security features of these products, you should consult this technical note on a regular basis for any updated information regarding these features.

Other Useful Resources

Java and Reflection 2014 or 2011

The Reflection Workspace and Reflection FTP Client do not use Java.

If you have also purchased Reflection Security Gateway or Reflection for the Web and use the Administrative WebStation to deploy Reflection sessions, a browser with a Java plug-in is required to launch those sessions.

Some Reflection 2014 and 2011 products include the Reflection X Advantage component described separately in Technical Note 2600.

Security Alerts and Advisories

The following security alerts and advisories may affect your product installation, or the security of your operating system or network environment. We recommend that you review these alerts and advisories.

Note: This information is non-inclusive—it does not attempt to address all security issues that may affect your system.

IMPORTANT REMINDER: The security for all of the Attachmate products using the Attachmate security features depends upon the security of the operating system, host, and network environment. We strongly recommend that you evaluate and implement all relevant security service packs, updates, and patches recommended by your operating system, host, and network manufacturers. For more information, see Technical Note 2200.

Alert
OpenSSL "Heartbleed" Vulnerability CVE-2014-0160
Date Posted
April 2014
Summary
A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys, through incorrect memory handling in the TLS heartbeat extension.
Product Status
This issue affects Reflection 2014 R1 TLS 1.2 connections for 3270/5250/VT and FTP. The default Reflection 2014 R1 TLS 1.0 connections and Reflection 2011 products are not subject to this vulnerability.

This issue has been resolved beginning in Reflection 2014 R1 Hotfix 4 (15.6.0.660). Upgrade to Reflection 2014 R1 Update 1 or higher, available from Attachmate Downloads.

Additional Information
For details and the latest information on mitigations, see the following:
US-CERT Technical Alert:
https://www.us-cert.gov/ncas/alerts/TA14-098A
CERT-CC Vulnerability Note VU#720951:
http://www.kb.cert.org/vuls/id/720951
National Vulnerability Database:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

Alert
Vulnerability Summary for CVE-2013-0422
Date Posted
January 2013
Summary
Oracle Java 7†Update 10 or earlier allows remote attackers to execute arbitrary code as exploited "in the wild"†and demonstrated by exploit tools such as Blackhole and Nuclear Pack. Note: Oracle states that Java 6 is not affected.

According to Oracle, to be successfully exploited, an unsuspecting user running an affected release in a browser needs to visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user's system. These vulnerabilities are not applicable to Java running on servers or within applications.

Product Status
Reflection 2011 or higher products are not subject to this vulnerability, however,†Reflection sessions†configured using the†Administrative WebStation (included in Reflection Administrator,†Reflection Security Gateway, and Reflection for the Web, sold separately from Reflection) require that†Reflection be launched from a browser with a Java plug-in enabled.†It is this JRE plug-in and Java Web Start that can be exploited, not Reflection. To launch sessions using the login/links page and minimize the risk described in this vulnerability, you should refer to the latest information provided by Oracle and install a version of Java that addresses this vulnerability.
Additional Information
For details, see the National Vulnerability Database at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422 and Oracle's site at http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html.

Alert
Vulnerability in Visual Basic for Applications Could Allow Remote Code Execution (MS12-046)
Date Posted
October 2012
Summary
The vulnerability could allow remote code execution if a user opens a legitimate Microsoft Office file (such as a .docx file) that is located in the same directory as a specially crafted dynamic link library (DLL) file. An attacker could then install programs; view, change, or delete data; or create new accounts that have full user rights. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Product Status
The issue is resolved beginning in Reflection 2011 R3. The VBA version (6.5.10.54) included in Reflection 2011 R3 addresses the VBA vulnerability.
Additional Information
For details, see Microsoft Security Bulletin MS12-046 at http://www.microsoft.com/technet/security/bulletin/ms12-046.mspx.

Alert
OpenSSL ASN1 BIO Denial of Service Vulnerability CVE-2012-2110
Date Posted
October 2012 – Modified
June 2012

Summary
An ASN.1 input function does not properly interpret integer data, which allows local attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption), via crafted DER data, as demonstrated by an X.509 certificate.
Product Status
The issue is resolved beginning in version 15.4.1.397. Upgrade to Reflection 2011 R3 (15.5.0.28) or higher.
Additional Information
For details, see the National Vulnerability Database site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2110.

Alert
OpenSSL Block Cipher Padding Vulnerability CVE-2011-4576
Date Posted
May 2012 - Modified
February 2012

Summary
The SSL 3.0 implementation in the Reflection SSL client does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer.
Product Status
The issue is resolved beginning in version 15.4.1.356. Upgrade to Reflection 2011 R2 SP1 or higher.
Additional Information
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4576.

Alert
Heap Overflow in Reflection FTP Client
Date Posted
May 2012 - Modified
November 2011

Summary
The Reflection FTP Client is subject to a heap overflow that could result in remote code execution at the authenticated user's privilege level. The vulnerability requires a user to connect to a malicious FTP server and interact with a specially crafted file.
Product Status
The Reflection FTP Client included with Reflection 2008; Reflection 2011 R1 (15.3.436.0) and R1 Service Pack 1 (SP1) (15.3.569.0); and Reflection 2011 R2 (15.4.327.0) is subject to this vulnerability.

The
issue is resolved beginning in version 15.3.2.569 for Reflection 2011 R1 SP1, and in version 15.4.1.327 for Reflection 2011 R2. Upgrade to Reflection 2011 R2 SP1.
Additional Information
Attachmate would like to thank Francis Provencher of Protek Research Labs for discovering and reporting the vulnerability.

Alert
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution CVE-2011-0977
Date Posted
November 2011
Summary
Reflection products with VBA features (Reflection 2011 R1 and Reflection 2008) include redistributable Microsoft VBA 6.4 files. There are reported vulnerabilities specific to how Microsoft Office uses these files. To resolve these vulnerabilities, Microsoft recommends applying an update to Microsoft Office.
Product Status
Reflection products do not have this vulnerability.
Additional Information
For details, see Microsoft Security Bulletin MS11-023 at http://www.microsoft.com/technet/security/bulletin/ms11-023.mspx.

Alert
Untrusted Search Path Vulnerability CVE-2011-0107
Date Posted
November 2011
Summary
Untrusted search path vulnerability in Reflection for UNIX and OpenVMS 2011 allows local users to gain privileges via a Trojan horse .DLL in the current working directory with several registered file types. This is similar to the untrusted search path vulnerability described in CVE-2011-0107 in Microsoft Office XP SP3, Office 2003 SP3, and Office 2007 SP2 that allows local users to gain privileges via a Trojan horse .DLL in the current working directory, as demonstrated by a directory that contains a .docx file, aka "Office Component Insecure Library Loading Vulnerability."
Product Status
This issue has been fixed starting in Reflection 2011 R1 SP1. Reflection for IBM 2011 is not subject to this vulnerability.
Additional Information
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0107.

Alert
Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Remote Code Execution CVE-2010-3190
Date Posted
November 2011
Summary
Untrusted search path vulnerability in the Microsoft Foundation Class (MFC) Library in Microsoft Visual Studio .NET 2003 SP1; Visual Studio 2005 SP1, 2008 SP1, and 2010; and Visual C++ 2005 SP1, 2008 SP1, and 2010 allows local users to gain privileges via a Trojan horse dwmapi.dll file in the current working directory during execution of an MFC application such as AtlTraceTool8.exe (aka ATL MFC Trace Tool), as demonstrated by a directory that contains a TRC, cur, rs, rct, or res file, aka "MFC Insecure Library Loading Vulnerability."
Product Status
Reflection 2011 R1 and Reflection 2008 products ship with these MFC redistributables. Microsoft recommends that customers apply the update at the earliest opportunity using update management software, or by checking for updates using the Microsoft Update service.

Reflection 2011 R2 is not affected because it ships with updated MFC redistributables.
Additional Information
For details, see Microsoft Security Bulletin MS11-025 at http://www.microsoft.com/technet/security/bulletin/ms11-025.mspx.

Alert
Vulnerability Advisory CPNI-957037
Date Posted
July 2010 Modified
October 2008

Summary
A design flaw in the SSH protocol use of block ciphers in cipher block chaining mode could allow an attacker to recover up to four bytes of plaintext. Although the severity of the attack is considered high, the likelihood of a successful attack is considered low and results in terminating the userís SSH connection.
Product Status
Reflection 2011 products continue to offer AES counter-mode ciphers available in Reflection 2008, and now also prevent premature disconnection during password or keyboard-interactive authentication. For more information about how this vulnerability affects Attachmate products, see Technical Note 2398.
Additional Information
For details, see the US-CERT web site at http://www.kb.cert.org/vuls/id/958563.

Alert
MD2 signed certificate hash collision vulnerability CVE-2009-2409
Date Posted
July 2010
Summary
Hash collisions in MD2 and MD5 signed certificate signatures have been publicly demonstrated in controlled research laboratories, leading to potential user or server certificate spoofing attacks.
Product Status
Reflection products listed in the Applies To section of this technical note are subject to this vulnerability, although the computation time to generate these certificates is still considered unfeasibly large. Beginning in Reflection 2011 use of MD2 or MD5 signed intermediate Certification Authority certificates is no longer allowed by default, but can be configured if needed for legacy certificate chain validation.
Additional Information
This issue is similar to the vulnerability described in CVE-2009-2409, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2409.

Alert
Null Truncation in X.509 Common Name Vulnerability CVE-2009-2408
Date Posted
July 2010
Summary
Attackers could acquire a server certificate containing NULL (\0) characters in the Subject's Common Name field of an x.509 certificate issued by a legitimate Certificate Authority that could allow man-in-the-middle attacks that spoof legitimate servers.
Product Status
Reflection products listed in the Applies To section of this technical note are subject to this vulnerability. Beginning in Reflection 2011 all attribute fields used to authenticate the host (namely, the Subject Common Name and SubjectAlternativeName fields)†are checked for illegal (non-printable) characters, and the certificate is rejected if any are found.
Additional Information
This issue is similar to the vulnerability described in CVE-2009-2408, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2408.

Alert
OpenSSL cryptographic message syntax vulnerability CVE-2010-742
Date Posted
June 2010
Summary
The Cryptographic Message Syntax (CMS) implementation in crypto/cms/cms_asn1.c in OpenSSL before 0.9.8o and 1.x before 1.0.0a does not properly handle structures that contain OriginatorInfo, which allows context-dependent attackers to modify invalid memory locations or conduct double-free attacks, and possibly execute arbitrary code, via unspecified vectors.
Product Status
Attachmate Reflection products are not subject to this vulnerability.
Additional Information
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0742.

Alert
OpenSSL RSA verification recovery vulnerability CVE-2010-1633
Date Posted
June 2010
Summary
RSA verification recovery in the EVP_PKEY_verify_recover function in OpenSSL 1.x before 1.0.0a, as used by pkeyutl and possibly other applications, returns uninitialized memory upon failure, which might allow context-dependent attackers to bypass intended key requirements or obtain sensitive information via unspecified vectors.
Product Status
Attachmate Reflection products are not subject to this vulnerability.
Additional Information
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1633.

Alert
US-CERT Technical Cyber Security Alert TA10-2131A
Date Posted
May 2010
Summary
A remote code execution vulnerability exists in the way that Microsoft Visual Basic for Applications searches for ActiveX controls, as described in Microsoft Security Bulletin MS10-031 and Microsoft Security Advisory KB974945.
Product Status
Reflection products listed in the Applies To section of this technical note contain ActiveX controls that are subject to this vulnerability.

If you have any Microsoft Office products installed and use Microsoft Update to keep your systems secure, the Microsoft patches as described in Microsoft Security Bulletin MS10-031 (
http://www.microsoft.com/technet/security/bulletin/ms10-031.mspx) will automatically update the vulnerable VBE6.DLL file used by Reflection applications.

The patch for systems that are not updated automatically using Microsoft Update can be downloaded from
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=436a8a66-352e-44d1-a610-c825083ad24a
Additional Information
For details, see the US-CERT web site at http://www.us-cert.gov/cas/techalerts/TA10-131A.html.

Alert
Drawing Object Vulnerability CVE-2007-1747
Date Posted
October 2009
Summary
Reflection products with VBA features (Reflection 2008, Reflection 2007, and Reflection 14.x and earlier) include redistributable Microsoft VBA 6.4 files. There are reported vulnerabilities specific to how Microsoft Office uses these files. To resolve these vulnerabilities, Microsoft recommends applying an update to Microsoft Office.
Product Status
Attachmate Reflection products do not have this vulnerability.
Additional Information
For details, see Microsoft Security Bulletin MS07-025 at http://www.microsoft.com/technet/security/bulletin/ms07-025.mspx.

Alert
US-CERT Technical Cyber Security Alert TA09-209A
Date Posted
28-July-2009
Summary
Vulnerabilities present in the Microsoft Active Template Library (ATL) can cause vulnerabilities in the resulting ActiveX controls and COM components, as described in Microsoft Security Bulletin MS09-035 and Microsoft Security Advisory 973882. Any ActiveX control or COM component that was created with a vulnerable version of the ATL may be vulnerable.
Product Status
Attachmate products listed in the Applies To section of this technical note contain the non-vulnerable ATL.
Be sure to apply all Microsoft ATL critical patches to your systems as described in Microsoft Security Bulletin MS09-035,
http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx.
Additional Information
For details, see the US-CERT web site at http://www.us-cert.gov/cas/techalerts/TA09-209A.html.

Alert
US-CERT Vulnerability Note VU #419344
Date Posted
April 2007
Summary
An authenticated user may be able to execute arbitrary code on a host running kadmind. Successful exploitation can compromise the Kerberos key database and host security on the host running these programs. (kadmind and the KDC typically run as root.) Unsuccessful exploitation attempts will likely result in the affected program crashing. Third-party applications calling either the RPC library or the GSS-API library provided with MIT krb5 may be vulnerable.
Product Status
Attachmate products (including NetIQ products) are not vulnerable.
Additional Information
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/419344.

Alert
US-CERT Vulnerability Note VU #704024
Date Posted
April 2007
Summary
A buffer overflow exists in the krb5_klog_syslog() function used by kadmind and the KDC. An authenticated user may be able to execute arbitrary code on a host running kadmind. An authenticated user may be able to execute arbitrary code on KDC host. Also, a user controlling a Kerberos realm sharing a key with the target realm may be able to execute arbitrary code on a KDC host. Successful exploitation can compromise the Kerberos key database and host security on the host running these programs. (kadmind and the KDC typically run as root.) Unsuccessful exploitation attempts will likely result in the affected program crashing. Third-party applications calling krb5_klog_syslog() may also be vulnerable.
Product Status
Attachmate products (including NetIQ products) are not vulnerable.
Additional Information
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/704024.

Alert
US-CERT Vulnerability Note VU #220816
Date Posted
April 2007
Summary
A remotely-exploitable root vulnerability is present in an application which ships in the krb5 sources.
Product Status
Attachmate products (including NetIQ products) are not vulnerable.
Additional Information
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/220816.

Alert
US-CERT Vulnerability Note VU #831452: Kerberos administration daemon may free uninitialized pointers
Date Posted
April 2007
Summary
An unauthenticated user may cause execution of arbitrary code in the Kerberos administration daemon, "kadmind", by causing it to free uninitialized pointers which should have been initialized by the GSS-API library. Compromise of the Kerberos key database may result. Third-party server applications written using the GSS-API library provided with MIT krb5 may also be vulnerable. Affected releases are krb5-1.5 through krb5-1.5.1.
Product Status
Attachmate products (including NetIQ products) are not vulnerable.
Additional Information
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/831452.

Alert
US-CERT Vulnerability Note VU #845620: RSA Public Exponent 3
Date Posted
September 2006
Summary
Multiple RSA implementations fail to properly handle signatures. This applies to Secure Shell and SSL/TLS encrypted connections.
Product Status
For more information about how this vulnerability affects Reflection products, see Technical Note 2137.
Additional
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/845620.

Alert
US-CERT Vulnerability Note VU#680620
Date Posted
July 14, 2005
Summary
Buffer overflow vulnerability in versions 1.2.1 and 1.2.2 of the zlib data compression library inflate() routine.†
Product Status
The Reflection Secure Shell client uses zlib version 1.1.4, which is not subject to this vulnerability.
Additional
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/680620.

Alert
Announcement of Successful Cryptanalytic Attack on SHA-1
Summary
Three Chinese cryptanalysts from Shandong University have recently documented a successful cryptanalytic attack on the SHA-1 algorithm.
Product Status
Reflection products primarily use SHA-1 to create HMACs (Keyed Hashing for Message Authentication), for verification of message integrity. According to Schneier, because hash collisions are not a prominent concern, this use of SHA-1 is not affected by the cryptanalytic attack.

In next several versions of products that use the SHA-1 algorithm, all vendors—including Attachmate, will likely move to phase out the use of SHA-1 hashes for use in digital signatures and add support for SHA-256 and other stronger hashing algorithms.

Additional
Bruce Schneier, the author of "Applied Cryptography," discusses this announcement on his blog, Schneier on Security. For commentary on this topic, see Mr. Schneier's blog at http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html.

Alert
US-CERT Vulnerability Note VU#686862
Summary
MIT Kerberos 5 krb5_aname_to_localname() contains several heap overflows.
Product Status
The Reflection Kerberos Client is not subject to the krb5_aname_to_localname() vulnerabilities (VU#686862) because it contains client functionality only and does no mapping of principal name to username.
Additional
For details, see http://www.kb.cert.org/vuls/id/686862.

Alert
Microsoft VBA Security Update
Summary
Microsoft has identified a critical security issue with Visual Basic for Applications (VBA).
Product Status
For information about this issue, see Technical Note 1385.

Notice: This technical note is updated from time to time and is provided for informational purposes only. Attachmate makes no representation or warranty that the functions contained in our software products will meet your requirements or that the operation of our software products will be interruption or error free. Attachmate EXPRESSLY DISCLAIMS ALL WARRANTIES REGARDING OUR SOFTWARE INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Related Technical Notes
1385 Microsoft VBA Security Update and Reflection Products
1890 Reporting a Potential Security Vulnerability to Attachmate
2137 Attachmate Security Updates for US-CERT Vulnerability #845620: RSA Public Exponent 3
2200 Security and Your Operating Environment
2398 Attachmate Security Update for CSIRTUK Vulnerability #CPNI-957: Plaintext Recovery Attack Against SSH
2400 Attachmate Products with FIPS 140-2 Validated Crypto Modules
2505 Security Updates and Reflection X Advantage
2600 Java and Attachmate Products

Did this technical note answer your question?

           



Need further help? For technical support, please contact Support.