Environment
Reflection for HP version 14.x
Reflection for UNIX and OpenVMS version 14.x
Reflection for ReGIS Graphics version 14.x
Reflection for IBM version 14.x
Reflection X version 14.x
Reflection for UNIX and OpenVMS version 14.x
Reflection for ReGIS Graphics version 14.x
Reflection for IBM version 14.x
Reflection X version 14.x
Situation
This technical note describes security issues related to the Reflection products listed in the Applies To section. If you rely on the security features of these products, you should consult this technical note on a regular basis for any updated information regarding these features.
Resolution
Other Useful Resources
- Operating system, host, and network effects on overall security: KB 7021969.
- Report a potential security vulnerability in an Attachmate product to Attachmate: https://www.microfocus.com/security.
- Check on the product support lifecycle status of your Attachmate software: https://support.microfocus.com/programs/lifecycle/.
- Review security updates for other Attachmate products: https://support.microfocus.com/security/.
- Information about Attachmate products and FIPS 140-2: KB 7021285.
Java and Reflection
Reflection 14.x products do not use Java except in the following instance: if you have also purchased Reflection Administrator, Reflection Security Gateway, or Reflection for the Web in addition to Reflection 14.x, and use the Administrative WebStation to deploy sessions, a browser with a Java plug-in is required to launch those sessions. It is therefore important for you to stay current with Java as Oracle releases updates that may affect your environment.
For more information about Java and Reflection, see KB 7021973.
Security Alerts and Advisories
The following security alerts and advisories may affect your product installation, or the security of your operating system or network environment. We recommend that you review these alerts and advisories.
Note: This information is non-inclusive—it does not attempt to address all security issues that may affect your system.
IMPORTANT REMINDER: The security for all of the Attachmate products using the Attachmate security features depends upon the security of the operating system, host, and network environment. We strongly recommend that you evaluate and implement all relevant security service packs, updates, and patches recommended by your operating system, host, and network manufacturers. For more information, see KB 7021969.
| Alert | Multiple X.Org BDF Font Parser Vulnerabilities (CVE-2015-1802, CVE 2015-1803, CVE-2015-1804) |
| Date Posted | August 2015 |
| Summary | The bdfReadProperties and bdfReadCharacters functions in bitmap/bdfread.c in X.Org libXfont allow remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via a crafted BDF font file or font properties. |
| Product Status | These issues are addressed in Reflection X in version 14.1.4.457 (14.1.4457) or higher. Maintained customers can obtain the latest update on the Downloads website. |
| Additional Information | For details, see the National Vulnerability Database site: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1802 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1803 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1804 |
| Alert | X.Org XkbSetGeometry Information Leak (CVE-2015-0255) |
| Date Posted | February 2015, Updated August 2015 |
| Summary | The X server allows remote attackers to obtain sensitive information from process memory or cause a denial of service (crash) via a crafted string length value in a XkbSetGeometry request. |
| Product Status | This is addressed in Reflection X in version 14.1.4.443 (14.1.4443) or higher. Maintained customers can obtain the latest update on the Downloads website. |
| Additional Information | For vulnerability details, see the X.Org Foundation or the National Vulnerability Database: http://www.x.org/wiki/Development/Security/Advisory-2015-02-10/ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0255. |
| Alert | Diffie-Hellman Logjam Vulnerabilities (CVE-2015-4000) |
| Date Posted | August 2015 |
| Summary | With TLS protocol 1.2, if DHE_EXPORT ciphersuite is supported by the server, man-in-the-middle attackers can conduct cipher-downgrade attacks. Additionally, with any TLS or SSH connection that uses weaker DH Groups (1024 bits or less) for key exchange, an attacker can passively eavesdrop and decrypt sessions. |
| Product Status | This issue is addressed in version 14.1.4.476 (14.1.4476) or higher. Maintained customers can obtain the latest update from the Downloads website. Export-grade ciphers are not supported with default encryption strength, and DH Group Exchange is requested with the highest preference. However, to avoid this vulnerability: * Disable diffie-hellman-group1-sha1 in Key Exchange Algorithms. * Verify your SSH server does not return a weak DH Group when Group Exchange is requested. |
| Additional Information | For vulnerability details, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4000 |
| Alert | OpenSSL Null Pointer Dereference Vulnerability (CVE-2015-0289) |
| Date Posted | June 2015 |
| Summary | Certain OpenSSL versions allow attackers to cause a denial of service (crash) by providing malformed PKCS#7 data. |
| Product Status | This issue affects Reflection versions 14.1.4.459 and earlier (identified as version 14.1.4459 and earlier in Control Panel > Programs). This issue is resolved in versions 14.1.4.476 (14.1.4476) and higher. Maintained customers can obtain the latest update on the Downloads website. |
| Additional Information | For vulnerability details, see the National Vulnerability Database: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0289 |
| Alert | OpenSSL Buffer Overflow Vulnerability (CVE-2015-0292) |
| Date Posted | June 2015 |
| Summary | Certain OpenSSL versions allow remote attackers to cause a denial of service (memory corruption) or possibly other impact by using crafted base64 data that triggers a buffer overflow. |
| Product Status | This issue affects Reflection versions 14.1.4.459 and earlier (identified as version 14.1.4459 and earlier in Control Panel > Programs). This issue is resolved in versions 14.1.4.476 (14.1.4476) and higher. Maintained customers can obtain the latest update on the Downloads website. |
| Additional Information | For vulnerability details, see the National Vulnerability Database: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0292 |
| Alert | OpenSSL Client RSA Silent Downgrade Vulnerability (CVE-2015-0204) |
| Date Posted | June 2015 |
| Summary | Certain OpenSSL client versions accept the use of a weak temporary export-grade key in a non-export RSA ciphersuite key exchange, thus enabling RSA-to-EXPORT_RSA downgrade attacks. The weakened encryption facilitates brute-force decryption ("FREAK" attack). |
| Product Status | This issue affects Reflection versions 14.1.4.443 and earlier (identified as version 14.1.4443 and earlier in Control Panel > Programs). This issue is resolved in versions 14.1.4.457 (14.1.4457) and higher. Maintained customers can obtain the latest update on the Downloads website. |
| Additional Information | For vulnerability details, see the National Vulnerability Database: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0204 |
| Alert | Stack Buffer Overflow Remote Code Execution Vulnerability in Reflection FTP Client (CVE-2014-5211, ZDI-CAN-2475) |
| Date Posted | January 2015 |
| Summary | By sending a carefully crafted response, a malicious FTP server can cause a stack buffer overflow in the Reflection FTP Client. |
| Product Status | This issue affects all versions of Reflection FTP Client 14.1.429 or earlier (identified as “14.1.429 SP3†or earlier in the FTP Client application Help > About dialog), provided in product versions 14.1.3.259 or earlier (identified as version 14.1.3259 or earlier in Control Panel > Programs). This issue is resolved beginning in Reflection FTP Client 14.1.433 provided in hotfix version 14.1.3.266 or higher (identified as version 14.1.3266 or higher in Control Panel after installation). Upgrade to Reflection 14.1 SP4 or higher, available from Attachmate Downloads. |
| Additional Information | Attachmate would like to thank an anonymous researcher, working with HP's Zero Day Initiative, for the discovery and responsible reporting of this vulnerability. For vulnerability details, see the National Vulnerability Database or Zero Day Initiative: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5211 http://www.zerodayinitiative.com/advisories/ZDI-15-008. |
| Alert | Multiple Remote Code Execution Vulnerabilities in Reflection FTP Client Through ActiveX Interface (CVE-2014-0603, CVE-2014-0604, CVE-2014-0605) |
| Date Posted | August 2014 |
| Summary | By sending specially crafted requests to the Reflection FTP Client OLE Automation (COM/ActiveX) API to upload a file to a system specific folder, it is possible for an attacker to execute arbitrary code on the system. |
| Product Status | This issue affects all versions of Reflection FTP Client 14.1.420.0 or earlier (identified as “14.1.420 SP3†or earlier in the FTP Client application Help > About dialog), provided in product versions 14.1.3.247 or earlier (identified as version 14.1.3247 or earlier in Control Panel > Programs). This issue is resolved beginning in Reflection FTP Client 14.1.429.0 provided in hotfix version 14.1.3.259 or higher (identified as version 14.1.3259 or higher in Control Panel after installation). Upgrade to Reflection 14.1 SP4 or higher, available from Attachmate Downloads. |
| Additional Information | Attachmate would like to thank Andrea Micalizzi (rgod), working with HP's Zero Day Initiative, for the discovery and responsible reporting of these vulnerabilities. For vulnerability details, see the National Vulnerability Database or Zero Day Initiative: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0603 http://www.zerodayinitiative.com/advisories/ZDI-14-288 http://www.zerodayinitiative.com/advisories/ZDI-14-291 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0604 http://www.zerodayinitiative.com/advisories/ZDI-14-289 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0605 http://www.zerodayinitiative.com/advisories/ZDI-14-290 |
| Alert | OpenSSL "CCS Injection" Vulnerability CVE-2014-0224 |
| Date Posted | August 2014 |
| Summary | A vulnerability in OpenSSL could allow an attacker with a man-in-the-middle vantage point on the network to decrypt or modify traffic. |
| Product Status | This issue affects all versions 14.1.3.254 or earlier (identified as version 14.1.3254 or earlier in Control Panel). This issue is resolved beginning in version 14.1.3.259 (identified as version 14.1.3259 or higher in Control Panel). Upgrade to Reflection 14.1 SP4 or higher, available from Attachmate Downloads. |
| Additional Information | For details and the latest information on mitigations, see the following: CERT-CC Vulnerability Note VU#978508: http://www.kb.cert.org/vuls/id/978508 National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 |
| Alert | Stack buffer overflow in parsing of BDF font files in libXfont CVE-2013-6462 |
| Date Posted | May 2014 |
| Summary | Stack-based buffer overflow in the bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont 1.1 through 1.4.6 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string in a character name in a BDF font file. |
| Product Status | For Reflection X included in Reflection X 2011 R3 and Reflection Suite for X 2011: This issue is resolved beginning in version 15.5.220 (Reflection X Help > About: 14.1.3 build 680). To obtain the hotfix, contact Attachmate Technical Support. For Reflection X included with Reflection X 2014 and Reflection Pro 2014: This issue is resolved beginning in version 15.6.660 (Reflection X Help > About: 14.1.3 build 680). Upgrade to R1 Update 1 or higher, available from Attachmate Downloads. For Reflection X version 14.1 SP3 and earlier: This issue is resolved beginning in version 14.1.236 (Reflection X Help > About: 14.1.3 build 680). Upgrade to Reflection 14.1 SP3 Update 1 or higher, available from Attachmate Downloads. This issue does not affect other Reflection 14.x products. |
| Additional Information | For details, see the National Vulnerability Database site at https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6462. |
| Alert | Integer underflow in the xTrapezoidValid macro CVE- 2013-6424 |
| Date Posted | May 2014 |
| Summary | Integer underflow in the xTrapezoidValid macro in render/picture.h in X.Org allows context-dependent attackers to cause a denial of service (crash) via a negative bottom value. |
| Product Status | For Reflection X included in Reflection X 2011 R3 and Reflection Suite for X 2011: This issue is resolved beginning in version 15.5.220 (Reflection X Help > About: 14.1.3 build 680). To obtain the hotfix, contact Attachmate Technical Support. For Reflection X included with Reflection X 2014 and Reflection Pro 2014: This issue is resolved beginning in version 15.6.660 (Reflection X Help > About: 14.1.3 build 680). Upgrade to R1 Update 1 or higher, available from Attachmate Downloads. For Reflection X version 14.1 SP3 and earlier: This issue is resolved beginning in version 14.1.3.236 (Reflection X Help > About: 14.1.3 build 680). Upgrade to Reflection 14.1 SP3 Update 1 or higher, available from Attachmate Downloads. This issue does not affect other Reflection 14.x products. |
| Additional Information | For details, see the National Vulnerability Database site at https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6424. |
| Alert | Use-after-free flaw when handling ImageText requests CVE-2013-4396 |
| Date Posted | May 2014 |
| Summary | A flaw in handling ImageText requests allows remote authorized clients to cause a denial of service (crash the X server) or possibly execute arbitrary code with root privileges via a crafted ImageText request that triggers memory-allocation failure. |
| Product Status | For Reflection X included in Reflection X 2011 R3 and Reflection Suite for X 2011: This issue is resolved beginning in version 15.5.220 (Reflection X Help > About: 14.1.3 build 680). To obtain the hotfix, contact Attachmate Technical Support. For Reflection X included with Reflection X 2014 and Reflection Pro 2014: This issue is resolved beginning in version 15.6.660 (Reflection X Help > About: 14.1.3 build 680). Upgrade to R1 Update 1 or higher, available from Attachmate Downloads. For Reflection X version 14.1 SP3 and earlier: This issue is resolved beginning in version 14.1.236 (Reflection X Help > About: 14.1.3. build 680). Upgrade to Reflection 14.1 SP3 Update 1 or higher, available from Attachmate Downloads. This issue does not affect other Reflection 14.x products. |
| Additional Information | For details, see the National Vulnerability Database site at https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4396. |
| Alert | OpenSSL "Heartbleed" Vulnerability CVE-2014-0160 |
| Date Posted | April 2014 |
| Summary | A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys, through incorrect memory handling in the TLS heartbeat extension. |
| Product Status | This issue affects Reflection 14.1 SP3 TLS 1.2 connections for 3270/5250/VT and FTP. The default Reflection 14.1 SP3 TLS 1.0 connections are not subject to this vulnerability because Attachmate TLS 1.0 connections use a non-vulnerable OpenSSL version. Earlier versions of Reflection 14.x products are not subject to this vulnerability. This issue is resolved beginning in Reflection 14.1 SP3 Update 1 (version 14.1.3.247), available from Attachmate Downloads. |
| Additional Information | For details and the latest information on mitigations, see the following: US-CERT Technical Alert: https://www.us-cert.gov/ncas/alerts/TA14-098A CERT-CC Vulnerability Note VU#720951: http://www.kb.cert.org/vuls/id/720951 National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 |
| Alert | OpenSSL MAC Denial of Service CVE- 2013-4353 |
| Date Posted | April 2014 |
| Summary | The ssl3_take_mac function allows remote TLS servers to cause a denial of service via a crafted TLS handshake. This update includes updated OpenSSL libraries that resolve this issue. |
| Product Status | This issue affects Reflection 14.1 SP3 TLS 1.2 connections for 3270/5250/VT and FTP. The default Reflection 14.1 SP3 TLS 1.0 connections are not subject to this vulnerability because Attachmate TLS 1.0 connections use a non-vulnerable OpenSSL version. Earlier versions of Reflection 14.x products are not subject to this vulnerability This issue is resolved beginning in Reflection 14.1 SP3 Update 1, available from Attachmate Downloads. |
| Additional Information | For details, see the National Vulnerability Database site at https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4353 |
| Alert | OpenSSL ASN1 BIO Denial of Service Vulnerability CVE-2012-2110 |
| Date Posted | May 2013 - Modified October 2012 - Modified June 2012 |
| Summary | An ASN.1 input function does not properly interpret integer data, which allows local attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption), via crafted DER data, as demonstrated by an X.509 certificate. |
| Product Status | For Reflection X included in Reflection X 2011 R3 and Reflection Suite for X 2011 R3: This issue is resolved beginning in Version 14.1.470. For other Reflection X and Reflection products, version 14.1 SP2: Thisissue is resolvedin version 14.1.2208 or higher. Upgrade to Reflection 14.1 SP3 or higher, available from Attachmate Downloads. |
| Additional Information | For details, see the National Vulnerability Database site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2110. |
| Alert | Vulnerability Summary for CVE-2013-0422 |
| Date Posted | January 2013 |
| Summary | Oracle Java 7 Update 10 or earlier allows remote attackers to execute arbitrary code as exploited "in the wild" and demonstrated by exploit tools such as Blackhole and Nuclear Pack. Note: Oracle states that Java 6 is not affected. According to Oracle, to be successfully exploited, an unsuspecting user running an affected release in a browser needs to visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user's system. These vulnerabilities are not applicable to Java running on servers or within applications. |
| Product Status | Reflection 14.x products are not subject to this vulnerability, however, Reflection sessions configured using the Administrative WebStation (included in Reflection Administrator, Reflection Security Gateway, and Reflection for the Web, sold separately from Reflection) require that Reflection be launched from a browser with a Java plug-in enabled. It is this JRE plug-in and Java Web Start that can be exploited, not Reflection. To launch sessions using the login/links page and minimize the risk described in this vulnerability, you should refer to the latest information provided by Oracle and install a version of Java that addresses this vulnerability. |
| Additional Information | For details, see the National Vulnerability Database at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422 and Oracle's site at http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html. |
| Alert | Vulnerability Summary for CVE-2012-2118 |
| Date Posted | June 2012 |
| Summary | Format string vulnerability in the LogVHdrMessageVerb function in os/log.c in X.Org X11 1.11 allows attackers to cause a denial of service or possibly execute arbitrary code via format string specifiers in an input device name. |
| Product Status | Reflection X is not subject to this vulnerability. Other Reflection 14.x products are not affected by this issue. |
| Additional Information | For details, see the National Vulnerability Database site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2118. |
| Alert | xrdb Vulnerability CVE-2011-0465 |
| Date Posted | April 2012 |
| Summary | xrdb.c in xrdb before 1.0.9 in X.Org X11R7.6 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a (1) DHCP or (2) XDMCP message. |
| Product Status | This issue is resolved beginning in Reflection X 14.1 SP2. Other Reflection 14.x products are not affected by this issue. |
| Additional Information | For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0465. |
| Alert | OpenSSL Block Cipher Padding Vulnerability CVE-2011-4576 |
| Date Posted | June 2012 – Modified February 2012 |
| Summary | The SSL 3.0 implementation in the Reflection SSL client does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer. |
| Product Status | This issue is resolved in version 14.0.7228 and in version 14.1.1220 or higher. Upgrade to Reflection 14.1 SP2 or higher. |
| Additional Information | For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4576. |
| Alert | Heap Overflow in Reflection FTP Client |
| Date Posted | June 2012 - Modified November 2011 |
| Summary | Reflection FTP Client is subject to a heap overflow that could result in remote code execution at the authenticated user's privilege level. The vulnerability requires a user to connect to a malicious FTP server and interact with a specially crafted file. |
| Product Status | The Reflection FTP Client included with Reflection 14.1 Service Pack 1 (14.1.1173) or earlier versions is subject to this vulnerability. This issue is resolved in version 14.0.7228 and in version 14.1.1206 or higher. Upgrade to Reflection 14.1 SP2 or higher. |
| Additional Information | Attachmate would like to thank Francis Provencher of Protek Research Labs for discovering and reporting the vulnerability. |
| Alert | Vulnerabilities in Microsoft Office Could Allow Remote Code Execution CVE-2011-0977 |
| Date Posted | November 2011 |
| Summary | Reflection products with VBA features (Reflection 14.x and earlier) include redistributable Microsoft VBA 6.4 files. There are reported vulnerabilities specific to how Microsoft Office uses these files. To resolve these vulnerabilities, Microsoft recommends applying an update to Microsoft Office. |
| Product Status | Reflection products do not have this vulnerability. |
| Additional Information | For details, see Microsoft Security Bulletin MS11-023 at http://www.microsoft.com/technet/security/bulletin/ms11-023.mspx. |
| Alert | Untrusted Search Path Vulnerability CVE-2011-0107 |
| Date Posted | November 2011 |
| Summary | Untrusted search path vulnerability in Reflection for UNIX and OpenVMS, Reflection for HP, Reflection for ReGIS Graphics, and Reflection X allows local users to gain privileges via a Trojan horse .DLL in the current working directory with several registered file types. This is similar to the untrusted search path vulnerability described in CVE-2011-0107 in Microsoft Office XP SP3, Office 2003 SP3, and Office 2007 SP2 that allows local users to gain privileges via a Trojan horse .DLL in the current working directory, as demonstrated by a directory that contains a .docx file, aka "Office Component Insecure Library Loading Vulnerability." |
| Product Status | This issue has been fixed beginning in Reflection 14.1 SP1. Reflection for IBM is not subject to this vulnerability. |
| Additional Information | For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0107. |
| Alert | Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Remote Code Execution CVE-2010-3190 |
| Date Posted | November 2011 |
| Summary | Untrusted search path vulnerability in the Microsoft Foundation Class (MFC) Library in Microsoft Visual Studio .NET 2003 SP1; Visual Studio 2005 SP1, 2008 SP1, and 2010; and Visual C++ 2005 SP1, 2008 SP1, and 2010 allows local users to gain privileges via a Trojan horse dwmapi.dll file in the current working directory during execution of an MFC application such as AtlTraceTool8.exe (aka ATL MFC Trace Tool), as demonstrated by a directory that contains a TRC, cur, rs, rct, or res file, aka "MFC Insecure Library Loading Vulnerability." |
| Product Status | Reflection 14.x products ship with these MFC redistributables. Microsoft recommends that customers apply the update at the earliest opportunity using update management software, or by checking for updates using the Microsoft Update service. |
| Additional Information | For details, see Microsoft Security Bulletin MS11-025 at http://www.microsoft.com/technet/security/bulletin/ms11-025.mspx. |
| Alert | FTP Client Directory Traversal Vulnerability CVE-2010-3096 |
| Date Posted | December 2010 |
| Summary | Numerous FTP clients have reported a directory traversal vulnerability that allows remote FTP servers to write arbitrary files via "..\" (dot dot backslash) sequences in a filename. |
| Product Status | Attachmate Reflection products are not subject to this vulnerability |
| Additional Information | For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3096. |
| Alert | OpenSSL cryptographic message syntax vulnerability CVE-2010-742 |
| Date Posted | June 2010 |
| Summary | The Cryptographic Message Syntax (CMS) implementation in crypto/cms/cms_asn1.c in OpenSSL before 0.9.8o and 1.x before 1.0.0a does not properly handle structures that contain OriginatorInfo, which allows context-dependent attackers to modify invalid memory locations or conduct double-free attacks, and possibly execute arbitrary code, via unspecified vectors. |
| Product Status | Attachmate Reflection products are not subject to this vulnerability. |
| Additional Information | For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0742. |
| Alert | OpenSSL RSA verification recovery vulnerability CVE-2010-1633 |
| Date Posted | June 2010 |
| Summary | RSA verification recovery in the EVP_PKEY_verify_recover function in OpenSSL 1.x before 1.0.0a, as used by pkeyutl and possibly other applications, returns uninitialized memory upon failure, which might allow context-dependent attackers to bypass intended key requirements or obtain sensitive information via unspecified vectors. |
| Product Status | Attachmate Reflection products are not subject to this vulnerability. |
| Additional Information | For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1633. |
| Alert | MD2 signed certificate hash collision vulnerability CVE-2009-2409 |
| Date Posted | June 2010 |
| Summary | Hash collisions in MD2 and MD5 signed certificate signatures have been publicly demonstrated in controlled research laboratories, leading to potential user or server certificate spoofing attacks. |
| Product Status | Reflection products listed in the Applies To section of this technical note are subject to this vulnerability, although the computation time to generate these certificates is still considered unfeasibly large. Beginning in version 14.1 use of MD2 or MD5 signed intermediate Certification Authority certificates is no longer allowed by default, but can be configured if needed for legacy certificate chain validation. |
| Additional Information | This issue is similar to the vulnerability described in CVE-2009-2409, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2409. |
| Alert | Null Truncation in X.509 Common Name Vulnerability CVE-2009-2408 |
| Date Posted | June 2010 |
| Summary | Attackers could acquire a server certificate containing NULL (\0) characters in the Subject's Common Name field of an x.509 certificate issued by a legitimate Certificate Authority that could allow man-in-the-middle attacks that spoof legitimate servers. |
| Product Status | Reflection products listed in the Applies To section of this technical note are subject to this vulnerability. Beginning in version 14.1 all attribute fields used to authenticate the host (namely, the Subject Common Name and SubjectAlternativeName fields) are checked for illegal (non-printable) characters, and the certificate is rejected if any are found. |
| Additional Information | This issue is similar to the vulnerability described in CVE-2009-2408, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2408. |
| Alert | Vulnerability Advisory CPNI-957037 |
| Date Posted | June 2010 - Modified October 2008 |
| Summary | A design flaw in the SSH protocol use of block ciphers in cipher block chaining mode could allow an attacker to recover up to four bytes of plaintext. Although the severity of the attack is considered high, the likelihood of a successful attack is considered low and results in terminating the user’s SSH connection. |
| Product Status | Reflection 14.1 products continue to offer AES counter-mode ciphers, and now also prevent premature disconnection during password or keyboard-interactive authentication. For more information about how this vulnerability affects Attachmate products, see KB 7022040. |
| Additional Information | For details, see the US-CERT web site at http://www.kb.cert.org/vuls/id/958563. |
| Alert | Reflection ActiveX Control 'ControlID' Buffer Overflow Vulnerability |
| Date Posted | June 2010 |
| Summary | The ActiveX controls in Reflection for UNIX and OpenVMS, Reflection ReGIS Graphics, and Reflection for HP are subject to a buffer-overflow vulnerability. Successful exploits may allow an attacker to execute arbitrary code in the context of the user running the affected application. Failed attempts may result in denial-of-service conditions. |
| Product Status | Reflection products listed in the Applies To section of this technical note are subject to this vulnerability. This issue has been fixed beginning in version 14.1. |
| Additional Information | Attachmate is aware of exploit scripts posted to known hacker web sites, but a US-CERT vulnerability notice is not yet available. |
| Alert | Vulnerability Summary for CVE-2007-6428 |
| Date Posted | June 2010 |
| Summary | The ProcGetReservedColormapEntries function in the TOG-CUP extension in X.Org Xserver before 1.4.1 allows context-dependent attackers to read the contents of arbitrary memory locations using a request containing a 32-bit value that is improperly used as an array index. |
| Product Status | Issue has been fixed in Reflection X 14.1. |
| Additional Information | For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6428. |
| Alert | Vulnerability Summary for CVE-2007-6429 |
| Date Posted | June 2010 |
| Summary | Multiple integer overflows in X.Org Xserver before 1.4.1 allow context-dependent attackers to execute arbitrary code using (1) a GetVisualInfo request containing a 32-bit value that is improperly used to calculate an amount of memory for allocation by the EVI extension, or (2) a request containing values related to pixmap size that are improperly used in management of shared memory by the MIT-SHM extension. |
| Product Status | Issue has been fixed in Reflection X 14.1. |
| Additional Information | For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6429. |
| Alert | Vulnerability Summary for CVE-2008-0006 |
| Date Posted | June 2010 |
| Summary | Buffer overflow in (1) X.Org Xserver before 1.4.1, and (2) the libfont and libXfont libraries on some platforms including Sun Solaris, allows context-dependent attackers to execute arbitrary code using a PCF font with a large difference between the last col and first col values in the PCF_BDF_ENCODINGS table. |
| Product Status | Issue has been fixed in Reflection X 14.1. |
| Additional Information | For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0006. |
| Alert | Vulnerability Summary for CVE-2008-1377 |
| Date Posted | June 2010 |
| Summary | The (1) SProcRecordCreateContext and (2) SProcRecordRegisterClients functions in the Record extension and the (3) SProcSecurityGenerateAuthorization function in the Security extension in the X server 1.4 in X.Org X11R7.3 allow context-dependent attackers to execute arbitrary code through requests with crafted length values that specify an arbitrary number of bytes to be swapped on the heap, which triggers heap corruption. |
| Product Status | Issue has been fixed in Reflection X 14.1. |
| Additional Information | For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1377. |
| Alert | Vulnerability Summary for CVE-2008-2360 |
| Date Posted | June 2010 |
| Summary | Integer overflow in the AllocateGlyph function in the Render extension in the X server 1.4 in X.Org X11R7.3 allows context-dependent attackers to execute arbitrary code via unspecified request fields that are used to calculate a heap buffer size, which triggers a heap-based buffer overflow. |
| Product Status | Issue has been fixed in Reflection X 14.1. |
| Additional Information | For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2360. |
| Alert | Vulnerability Summary for CVE-2008-2361 |
| Date Posted | June 2010 |
| Summary | Integer overflow in the ProcRenderCreateCursor function in the Render extension in the X server 1.4 in X.Org X11R7.3 allows context-dependent attackers to cause a denial of service (daemon crash) via unspecified request fields that are used to calculate a glyph buffer size, which triggers a dereference of unmapped memory. |
| Product Status | Issue has been fixed in Reflection X 14.1. |
| Additional Information | For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2361. |
| Alert | Vulnerability Summary for CVE-2008-2362 |
| Date Posted | June 2010 |
| Summary | Multiple integer overflows in the Render extension in the X server 1.4 in X.Org X11R7.3 allow context-dependent attackers to execute arbitrary code using a (1) SProcRenderCreateLinearGradient, (2) SProcRenderCreateRadialGradient, or (3) SProcRenderCreateConicalGradient request with an invalid field specifying the number of bytes to swap in the request data, which triggers heap memory corruption. |
| Product Status | Issue has been fixed in Reflection X 14.1. |
| Additional Information | For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2362. |
| Alert | US-CERT Technical Cyber Security Alert TA10-2131A |
| Date Posted | May 2010 |
| Summary | A remote code execution vulnerability exists in the way that Microsoft Visual Basic for Applications searches for ActiveX controls, as described in Microsoft Security Bulletin MS10-031 and Microsoft Security Advisory KB 974945. |
| Product Status | Reflection products listed in the Applies To section of this technical note contain ActiveX controls that are subject to this vulnerability. If you have any Microsoft Office products installed and use Microsoft Update to keep your systems secure, the Microsoft patches as described in Microsoft Security Bulletin MS10-031 (http://www.microsoft.com/technet/security/bulletin/ms10-031.mspx) will automatically update the vulnerable VBE6.DLL file used by Reflection applications. The patch for systems that are not updated automatically using Microsoft Update can be downloaded from http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=436a8a66-352e-44d1-a610-c825083ad24a Reflection version 14.1 installs the non-vulnerable VBE6.DLL, version 6.5.10.52. |
| Additional Information | For details, see the US-CERT web site at http://www.us-cert.gov/cas/techalerts/TA10-131A.html. |
| Alert | Drawing Object Vulnerability CVE-2007-1747 |
| Date Posted | October 2009 |
| Summary | Reflection products with VBA features (Reflection 2008, Reflection 2007, and Reflection 14.x and earlier) include redistributable Microsoft VBA 6.4 files. There are reported vulnerabilities specific to how Microsoft Office uses these files. To resolve these vulnerabilities, Microsoft recommends applying an update to Microsoft Office. |
| Product Status | Attachmate Reflection products do not have this vulnerability. |
| Additional Information | For details, see Microsoft Security Bulletin MS07-025 at http://www.microsoft.com/technet/security/bulletin/ms07-025.mspx. |
| Alert | US-CERT Technical Cyber Security Alert TA09-209A |
| Date Posted | 28-July-2009 |
| Summary | Vulnerabilities present in the Microsoft Active Template Library (ATL) can cause vulnerabilities in the resulting ActiveX controls and COM components, as described in Microsoft Security Bulletin MS09-035 and Microsoft Security Advisory 973882. Any ActiveX control or COM component that was created with a vulnerable version of the ATL may be vulnerable. |
| Product Status | Reflection products listed in the Applies To section of this technical note contain ActiveX controls that are subject to this vulnerability. Beginning in version 14.0 Service Pack 7, the Reflection products now contain the non-vulnerable ATL. Be sure to apply all Microsoft ATL critical patches to your systems as described in Microsoft Security Bulletin MS09-035, http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx. |
| Additional Information | For details, see the US-CERT web site at http://www.us-cert.gov/cas/techalerts/TA09-209A.html. |
| Alert | Vulnerability Summary CVE-2007-4752 |
| Date Posted | September 2007 |
| Summary | SSH in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted. |
| Product Status | Attachmate SSH clients (including Reflection for Secure IT and Reflection X) do not have this OpenSSH vulnerability. Note: Reflection for Secure IT UNIX Clients versions 6.x and 7.0 support trusted X11 forwarding, but do not have the vulnerability. |
| Additional Information | For details, see the National Vulnerability Database web site at http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4752. |
| Alert | US-CERT Vulnerability Note VU #419344 |
| Date Posted | April 2007 |
| Summary | An authenticated user may be able to execute arbitrary code on a host running kadmind. Successful exploitation can compromise the Kerberos key database and host security on the host running these programs. (kadmind and the KDC typically run as root.) Unsuccessful exploitation attempts will likely result in the affected program crashing. Third-party applications calling either the RPC library or the GSS-API library provided with MIT krb5 may be vulnerable. |
| Product Status | Attachmate products (including NetIQ products) are not vulnerable. |
| Additional Information | For details, see the CERT web site at http://www.kb.cert.org/vuls/id/419344. |
| Alert | US-CERT Vulnerability Note VU #704024 |
| Date Posted | April 2007 |
| Summary | A buffer overflow exists in the krb5_klog_syslog() function used by kadmind and the KDC. An authenticated user may be able to execute arbitrary code on a host running kadmind. An authenticated user may be able to execute arbitrary code on KDC host. Also, a user controlling a Kerberos realm sharing a key with the target realm may be able to execute arbitrary code on a KDC host. Successful exploitation can compromise the Kerberos key database and host security on the host running these programs. (kadmind and the KDC typically run as root.) Unsuccessful exploitation attempts will likely result in the affected program crashing. Third-party applications calling krb5_klog_syslog() may also be vulnerable. |
| Product Status | Attachmate products (including NetIQ products) are not vulnerable. |
| Additional Information | For details, see the CERT web site at http://www.kb.cert.org/vuls/id/704024. |
| Alert | US-CERT Vulnerability Note VU #220816 |
| Date Posted | April 2007 |
| Summary | A remotely-exploitable root vulnerability is present in an application which ships in the krb5 sources. |
| Product Status | Attachmate products (including NetIQ products) are not vulnerable. |
| Additional Information | For details, see the CERT web site at http://www.kb.cert.org/vuls/id/220816. |
| Alert | US-CERT Vulnerability Note VU #831452: Kerberos administration daemon may free uninitialized pointers |
| Date Posted | April 2007 |
| Summary | An unauthenticated user may cause execution of arbitrary code in the Kerberos administration daemon, "kadmind", by causing it to free uninitialized pointers which should have been initialized by the GSS-API library. Compromise of the Kerberos key database may result. Third-party server applications written using the GSS-API library provided with MIT krb5 may also be vulnerable. Affected releases are krb5-1.5 through krb5-1.5.1. |
| Product Status | Attachmate products (including NetIQ products) are not vulnerable. |
| Additional Information | For details, see the CERT web site at http://www.kb.cert.org/vuls/id/831452. |
| Alert | US-CERT Vulnerability Note VU #845620: RSA Public Exponent 3 |
| Date Posted | September 2006 |
| Summary | Multiple RSA implementations fail to properly handle signatures. This applies to Secure Shell and SSL/TLS encrypted connections. |
| Product Status | For more information about how this vulnerability affects Reflection products, see KB 7021933. |
| Additional Information | For details, see the CERT web site at http://www.kb.cert.org/vuls/id/845620. |
| Alert | US-CERT Vulnerability Note VU#680620 |
| Date Posted | July 14, 2005 |
| Summary | Buffer overflow vulnerability in versions 1.2.1 and 1.2.2 of the zlib data compression library inflate() routine. |
| Product Status | The Reflection Secure Shell client and Reflection X product use zlib version 1.1.4, which is not subject to this vulnerability. |
| Additional Information | For details, see the CERT web site at http://www.kb.cert.org/vuls/id/680620. |
| Alert | Announcement of Successful Cryptanalytic Attack on SHA-1 |
| Summary | Three Chinese cryptanalysts from Shandong University have recently documented a successful cryptanalytic attack on the SHA-1 algorithm. |
| Product Status | Reflection products primarily use SHA-1 to create HMACs (Keyed Hashing for Message Authentication), for verification of message integrity. According to Schneier, because hash collisions are not a prominent concern, this use of SHA-1 is not affected by the cryptanalytic attack. (For further details, read the blog posting at http://www.schneier.com/blog/archives/2005/02/sha1_broken.html.) In the next several versions of products that use the SHA-1 algorithm, all vendors—including Attachmate, will likely move to phase out the use of SHA-1 hashes for use in digital signatures and add support for SHA-256 and other stronger hashing algorithms. |
| Additional Information | Bruce Schneier, the author of "Applied Cryptography," discusses this announcement on his blog, Schneier on Security. For commentary on this topic, see Mr. Schneier's blog at http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html. |
| Alert | Microsoft VBA Security Update |
| Summary | Microsoft has identified a critical security issue with Visual Basic for Applications (VBA). |
| Product Status | For information about this issue, see KB 7021625. |
Notice: This technical note is updated from time to time and is provided for informational purposes only. Attachmate makes no representation or warranty that the functions contained in our software products will meet your requirements or that the operation of our software products will be interruption or error free. Attachmate EXPRESSLY DISCLAIMS ALL WARRANTIES REGARDING OUR SOFTWARE INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.