Environment
Extra! X-treme version 9.1 or higher
Situation
This technical note describes security issues related to Extra!
X-treme. If you rely on the security features of this product, you
should consult this technical note on a regular basis for any updated
information regarding these features.
Resolution
This technical note applies to the following Extra! connections:
- 9.3 SP1 or higher – Connections configured to use Security Type "TLS v1.2," “SSL v3.0," " TLS v1.0," or " FIPS 140-2."
- 9.2 through 9.3 – Connections configured to use Security Type "Attachmate SSL v3.0," "Attachmate TLS v1.0," or "Attachmate FIPS 140-2."
- 9.1 – Connections configured to "Use Attachmate Security" with "SSL/TLS" or "FIPS 140-2" selected as the Level of Encryption.
For information about FIPS 140-2, see KB 7021285.
Note: Extra! may have other security vulnerabilities not addressed in this note. For maximum protection against threats, we recommend that you upgrade Extra! to the most recent version, which has the latest security updates.
The following security alerts and advisories may affect your product installation, or the security of your operating system or network environment. We recommend that you review these alerts and advisories.Note: This information is non-inclusive—it does not attempt to address all security issues that may affect your system.
IMPORTANT REMINDER: The security for all of the Attachmate products using the Attachmate security features depends upon the security of the operating system, host, and network environment. We strongly recommend that you evaluate and implement all relevant security service packs, updates, and patches recommended by your operating system, host, and network manufacturers. For more information, see KB 7021969.
| Alert |
OpenSSL ASN.1 Implementation Security Vulnerability (CVE-2016-2108) |
| Date Posted |
May 2016 |
| Summary |
Certain OpenSSL versions allow remote attackers to cause a denial of service (crash) by providing manipulated serialized data. |
| Product Status |
This issue affects products using
OpenSSL versions 1.0.1 through 1.0.2c and affects Extra! products using
atmcypto.dll version 3.2.73.0. This issue is addressed in version 9.3 and higher. Maintained customers can obtain the latest update on the Downloads website. |
| Additional Information |
For vulnerability details, see the National Vulnerability Database: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2108 |
| Alert |
OpenSSL Null Pointer Dereference Vulnerability (CVE-2015-0289) |
| Date Posted |
August 2015 |
| Summary |
Certain OpenSSL versions allow attackers to cause a denial of service (crash) by providing malformed PKCS#7 data. |
| Product Status |
This issue affects Extra! versions 9.3.2636 (9.3.1.2636) and earlier. This issue is resolved in version 9.3.2643 (9.3.1.2643) and higher. Update to Extra! Service Pack 3 Update 1 (9.3.2650 or 9.3.1.2650) or higher. Maintained customers can obtain the latest update on the Downloads website. |
| Additional Information |
For vulnerability details, see the National Vulnerability Database: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0289 |
| Alert |
OpenSSL Buffer Overflow Vulnerability (CVE-2015-0292) |
| Date Posted |
August 2015 |
| Summary |
Certain OpenSSL versions allow remote
attackers to cause a denial of service (memory corruption) or possibly
other impact by using crafted base64 data that triggers a buffer
overflow. |
| Product Status |
This issue affects Extra! versions 9.3.2636 (9.3.1.2636) and earlier. This issue is resolved in version 9.3.2643 (9.3.1.2643) and higher. Update to Extra! Service Pack 3 Update 1 (9.3.2650 or 9.3.1.2650) or higher. Maintained customers can obtain the latest update on the Downloads website. |
| Additional Information |
For vulnerability details, see the National Vulnerability Database: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0292 |
| Alert |
Diffie-Hellman Logjam Vulnerabilities (CVE-2015-4000) |
| Date Posted |
August 2015 |
| Summary |
With TLS protocol 1.2, if DHE_EXPORT
ciphersuite is supported by the server, man-in-the-middle attackers can
conduct cipher-downgrade attacks. Additionally, with any TLS or SSH
connection that uses weaker DH Groups (1024 bits or less) for key
exchange, an attacker can passively eavesdrop and decrypt sessions. |
| Product Status |
This issue affects Extra! versions 9.3.2636 (9.3.1.2636) and earlier. This issue is addressed in version 9.3.2643 (9.3.1.2643) and higher. Update to Extra! Service Pack 3 Update 1 (9.3.2650 or 9.3.1.2650) or higher. Maintained customers can obtain the latest update on the Downloads website. Export-grade ciphers are not supported with default encryption strength, and DH Group Exchange is requested with the highest preference. However, to avoid this vulnerability: * Disable diffie-hellman-group1-sha1 in Key Exchange Algorithms. * Verify your SSH server does not return a weak DH Group when Group Exchange is requested. |
| Additional Information |
For vulnerability details, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4000 |
| Alert |
OpenSSL Client RSA Silent Downgrade Vulnerability (CVE-2015-0204) |
| Date Posted |
June 2015, Updated August 2015 |
| Summary |
Certain OpenSSL client versions accept
the use of a weak temporary export-grade key in a non-export RSA
ciphersuite key exchange, thus enabling RSA-to-EXPORT_RSA downgrade
attacks. The weakened encryption facilitates brute-force decryption
("FREAK" attack). |
| Product Status |
This issue affects Extra! versions 9.3.2629 (9.3.1.2629) and earlier. This issue is resolved beginning in version 9.3.2636 (9.3.1.2636). Update to Extra! Service Pack 3 Update 1 (9.3.2650 or 9.3.1.2650) or higher. Maintained customers can obtain the latest update from the Downloads website. |
| Additional Information |
For vulnerability details, see the National Vulnerability Database: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0204 |
| Alert |
Stack Buffer Overflow Remote Code Execution Vulnerability in Reflection FTP Client (CVE-2014-5211, ZDI-CAN-2475) |
| Date Posted |
January 2015, Updated August 2015 |
| Summary |
By sending a carefully crafted response, a malicious FTP server can cause a stack buffer overflow in the Reflection FTP Client. |
| Product Status |
This issue affects Reflection FTP
Client 14.1.429 or earlier (as identified in the FTP Client application
Help > About dialog), provided to Extra! customers in Reflection FTP
Client installer version 14.1.3.259 or earlier. This issue is resolved beginning in Reflection FTP Client 14.1.433 (14.1.3.266) or higher. Reflection FTP Client 14.1 SP4 Update 1 (installer version 14.1.4.489; version 14.1.558 in Help > About after installation) is a separate download and installation released with Extra! 9.3 Service Pack 1 Update 1. Maintained customers can obtain the latest update from the Downloads website. |
| Additional Information |
Attachmate would like to thank an
anonymous researcher, working with HP's Zero Day Initiative, for the
discovery and responsible reporting of this vulnerability. For vulnerability details, see the National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5211 http://www.zerodayinitiative.com/advisories/ZDI-15-008 |
| Alert |
Multiple Remote Code Execution
Vulnerabilities in Reflection FTP Client Through ActiveX Interface
(CVE-2014-0603, CVE-2014-0604, CVE-2014-0605) |
| Date Posted |
August 2014 |
| Summary |
By sending specially crafted requests
to the Reflection FTP Client OLE Automation (COM/ActiveX) API to upload a
file to a system specific folder, it is possible for an attacker to
execute arbitrary code on the system. |
| Product Status |
This issue affects Reflection FTP
Client 14.1.420 or earlier (as identified in the FTP Client application
Help > About dialog), provided to Extra! customers in Reflection FTP
Client installer version 14.1.3.247 or earlier. This issue is resolved beginning in Reflection FTP Client 14.1.429 (14.1.3.429) or higher. Upgrade to Extra! 9.3 SP1 (9.3.1.2612) or higher, which includes the updated Reflection FTP Client. |
| Additional Information |
Attachmate would like to thank Andrea
Micalizzi (rgod), working with HP's Zero Day Initiative, for the
discovery and responsible reporting of these vulnerabilities. For vulnerability details, see the National Vulnerability Database or Zero Day Initiative: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0603 http://www.zerodayinitiative.com/advisories/ZDI-14-288 http://www.zerodayinitiative.com/advisories/ZDI-14-291 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0604 http://www.zerodayinitiative.com/advisories/ZDI-14-289 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0605 http://www.zerodayinitiative.com/advisories/ZDI-14-290 |
| Alert |
OpenSSL "CCS Injection" Vulnerability CVE-2014-0224 |
| Date Posted |
August 2014 |
| Summary |
A vulnerability in OpenSSL could allow
an attacker with a man-in-the-middle vantage point on the network to
decrypt or modify traffic. |
| Product Status |
This issue affects all versions of
Extra! 9.3.1135 (9.3.0.1135) or earlier, including the Reflection FTP
Client (14.1.3.254 or earlier) which is provided with Extra! This issue is resolved beginning in Extra! version 9.3.1140 (9.3.0.1140) and Reflection FTP Client version 14.1.3.259 or higher. Upgrade to Extra! 9.3 SP1 (9.3.1.2612) or higher, which also includes the updated Reflection FTP Client. |
| Additional Information |
For details and the latest information on mitigations, see the following: CERT-CC Vulnerability Note VU#978508: http://www.kb.cert.org/vuls/id/978508 National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 |
| Alert |
OpenSSL "Heartbleed" Vulnerability CVE-2014-0160 |
| Date Posted |
September 2014 - Modified April 2014 |
| Summary |
A vulnerability in OpenSSL could allow a
remote attacker to expose sensitive data, possibly including user
authentication credentials and secret keys, through incorrect memory
handling in the TLS heartbeat extension. |
| Product Status |
This issue does not affect Extra! X-treme; however: The Reflection FTP Client included with Extra! 9.3 is affected, but only when making TLS 1.2 connections to a malicious server. This issue has been resolved beginning in Reflection FTP Client 14.1 SP3 Update 1 (version 14.1.3.247). Upgrade to Extra! 9.3 SP1 (9.3.1.2612) or higher, which includes the updated Reflection FTP Client. Extra! 6530 Client Option version 9.3 or earlier may be vulnerable (connecting to Tandem/HP NonStop hosts). This issue is resolved beginning in Extra! 6530 Client Option 9.3 SP1 (9.3.1.2612). |
| Additional Information |
For details and the latest information on mitigations, see the following: US-CERT Technical Alert: https://www.us-cert.gov/ncas/alerts/TA14-098A CERT-CC Vulnerability Note VU#720951: http://www.kb.cert.org/vuls/id/720951 National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160. |
| Alert |
OpenSSL ASN1 BIO Denial of Service Vulnerability CVE-2012-2110 |
| Date Posted |
June 2013 - Modified June 2012 |
| Summary |
An ASN.1 input function does not
properly interpret integer data, which allows local attackers to conduct
buffer overflow attacks, and cause a denial of service (memory
corruption), via crafted DER data, as demonstrated by an X.509
certificate. |
| Product Status |
This issue is resolved in Extra! 9.2.2110 or higher. Upgrade to Extra! X-treme 9.3 or higher, available from the Download Library. |
| Additional Information |
For details, see the National Vulnerability Database site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2110. |
| Alert |
Vulnerability Summary for CVE-2013-0422 |
| Date Posted |
January 2013 |
| Summary |
Oracle Java 7 Update 10 or earlier
allows remote attackers to execute arbitrary code as exploited "in the
wild" and demonstrated by exploit tools such as Blackhole and Nuclear
Pack. Note: Oracle states that Java 6 is not affected. According to Oracle, to be successfully exploited, an unsuspecting user running an affected release in a browser needs to visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user's system. These vulnerabilities are not applicable to Java running on servers or within applications. |
| Product Status |
Extra! is not subject to this vulnerability. |
| Additional Information |
For details, see the National Vulnerability Database at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422 and Oracle's site at http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html. |
| Alert |
OpenSSL Block Cipher Padding Vulnerability CVE-2011-4576 |
| Date Posted |
March 2012 |
| Summary |
The SSL 3.0 implementation in the
Attachmate SSL 3.0 client does not properly initialize data structures
for block cipher padding, which might allow remote attackers to obtain
sensitive information by decrypting the padding data sent by an SSL
peer. |
| Product Status |
The issue is resolved beginning with Extra! 9.2 SP1. |
| Additional Information |
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4576. |
| Alert |
Heap Overflow in Reflection FTP Client |
| Date Posted |
March 2012 |
| Summary |
Reflection FTP Client is subject to a
heap overflow that could result in remote code execution at the
authenticated user's privilege level. The vulnerability requires a user
to connect to a malicious FTP server and interact with a specially
crafted file. |
| Product Status |
This issue is resolved beginning with the Reflection FTP Client (14.1.183.0) included with Extra! 9.2 SP1. |
| Additional Information |
Attachmate would like to thank Francis Provencher of Protek Research Labs for discovering and reporting the vulnerability. |
| Alert |
FTP Client Directory Traversal Vulnerability CVE-2010-3096 |
| Date Posted |
February 2011 |
| Summary |
Numerous FTP clients have reported a
directory traversal vulnerability that allows remote FTP servers to
write arbitrary files via "..\" (dot dot backslash) sequences in a
filename. |
| Product Status |
Attachmate Extra! products are not subject to this vulnerability |
| Additional Information |
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3096. |
| Alert |
MD2 signed certificate hash collision vulnerability CVE-2009-2409 |
| Date Posted |
February 2011 |
| Summary |
Hash collisions in MD2 and MD5 signed
certificate signatures have been publicly demonstrated in controlled
research laboratories, leading to potential user or server certificate
spoofing attacks. |
| Product Status |
Extra! products listed in the Applies
To section of this technical note are subject to this vulnerability,
although the computation time to generate these certificates is still
considered unfeasibly large. Beginning in version 9.2
use of MD2 or MD5 signed intermediate Certification Authority
certificates is no longer allowed by default, but can be configured if
needed for legacy certificate chain validation. |
| Additional Information |
This issue is similar to the vulnerability described in CVE-2009-2409, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2409. |
| Alert |
Null Truncation in X.509 Common Name Vulnerability CVE-2009-2408 |
| Date Posted |
February 2011 |
| Summary |
Attackers could acquire a server
certificate containing NULL (\0) characters in the Subject's Common Name
field of an x.509 certificate issued by a legitimate Certificate
Authority that could allow man-in-the-middle attacks that spoof
legitimate servers. |
| Product Status |
Extra! products listed in the Applies To section of this technical note are subject to this vulnerability. This issue is resolved in version 9.2 or higher:
all attribute fields used to authenticate the host (namely, the Subject
Common Name and SubjectAlternativeName fields) are checked for illegal
(non-printable) characters, and the certificate is rejected if any are
found. |
| Additional Information |
This issue is similar to the vulnerability described in CVE-2009-2408, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2408. |
| Alert |
OpenSSL cryptographic message syntax vulnerability CVE-2010-742 |
| Date Posted |
June 2010 |
| Summary |
The Cryptographic Message Syntax (CMS)
implementation in crypto/cms/cms_asn1.c in OpenSSL before 0.9.8o and 1.x
before 1.0.0a does not properly handle structures that contain
OriginatorInfo, which allows context-dependent attackers to modify
invalid memory locations or conduct double-free attacks, and possibly
execute arbitrary code, via unspecified vectors. |
| Product Status |
Attachmate Extra! products are not subject to this vulnerability. |
| Additional Information |
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0742. |
| Alert |
OpenSSL RSA verification recovery vulnerability CVE-2010-1633 |
| Date Posted |
June 2010 |
| Summary |
RSA verification recovery in the
EVP_PKEY_verify_recover function in OpenSSL 1.x before 1.0.0a, as used
by pkeyutl and possibly other applications, returns uninitialized memory
upon failure, which might allow context-dependent attackers to bypass
intended key requirements or obtain sensitive information via
unspecified vectors. |
| Product Status |
Attachmate Extra! products are not subject to this vulnerability. |
| Additional Information |
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1633. |
| Alert |
US-CERT Technical Cyber Security Alert TA09-209A |
| Date Posted |
28-July-2009 |
| Summary |
Vulnerabilities present in the
Microsoft Active Template Library (ATL) can cause vulnerabilities in the
resulting ActiveX controls and COM components, as described in
Microsoft Security Bulletin MS09-035 and Microsoft Security Advisory
973882. Any ActiveX control or COM component that was created with a
vulnerable version of the ATL may be vulnerable. |
| Product Status |
After a review of the ActiveX controls in Extra!, we have determined that Extra! is not affected by these ATL vulnerabilities. Be sure to apply all Microsoft ATL critical patches to your systems as described in Microsoft Security Bulletin MS09-035, http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx. |
| Additional Information |
For details, see the US-CERT web site at http://www.us-cert.gov/cas/techalerts/TA09-209A.html. |
| Alert |
US-CERT Vulnerability Note VU #845620: RSA Public Exponent 3 |
| Date Posted |
September 2006 |
| Summary |
Multiple RSA implementations fail to
properly handle signatures. This applies to Secure Shell and SSL/TLS
encrypted connections. |
| Product Status |
For more information about how this vulnerability affects Attachmate products, see KB 7021933. |
| Additional |
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/845620. |
| Alert |
Announcement of Successful Cryptanalytic Attack on SHA-1 |
| Summary |
Three Chinese cryptanalysts from
Shandong University have recently documented a successful cryptanalytic
attack on the SHA-1 algorithm. |
| Product Status |
Extra! products primarily use SHA-1 to
create HMACs (Keyed Hashing for Message Authentication), for
verification of message integrity. According to Schneier, because hash
collisions are not a prominent concern, this use of SHA-1 is not
affected by the cryptanalytic attack. (For further details, read the
blog posting at http://www.schneier.com/blog/archives/2005/02/sha1_broken.html.) In the next several versions of products that use the SHA-1 algorithm, all vendors—including Attachmate, will likely move to phase out the use of SHA-1 hashes for use in digital signatures and add support for SHA-256 and other stronger hashing algorithms. |
| Additional |
Bruce Schneier, the author of "Applied
Cryptography," discusses this announcement on his blog, Schneier on
Security. For commentary on this topic, see Mr. Schneier's blog at http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html. |
Status
Security AlertAdditional Information
Effective January 2018, see Security Alerts - Extra! for updated alerts and advisories.
Other Useful Resources
- Operating system, host, and network effects on overall security: KB 7021969.
- Report a potential security vulnerability in a Micro Focus product: https://www.microfocus.com/security
- Check on the product support lifecycle status of your Attachmate software: https://support.microfocus.com/programs/lifecycle/.
- Review security updates for other Attachmate products: https://support.microfocus.com/security/.
- Information about Attachmate products and FIPS 140-2: KB 7021285.
Java and Extra! X-treme
Extra! X-treme does not use Java except in the following instance: if you have also purchased Reflection Security Gateway and use the Administrative WebStation to deploy Extra! 9.3 or higher sessions, a browser with a Java plug-in is required to launch those sessions. It is therefore important for you to stay current with Java as Oracle releases updates that may affect your environment.
For more information about Java and Extra!, see KB 7021973.