Environment
InfoConnect Airlines Gateway version 2.0 SP1 or higher
Situation
Resolution
This technical note applies to INFOConnect 8.1 SP1 or higher and Airlines Gateway 2.0 SP1 or higher connections that are configured to use FIPS 140-2. For information about FIPS 140-2, see KB 7021285.
Note: INFOConnect may have other security vulnerabilities not addressed in this note. For maximum protection against threats, we recommend that you upgrade INFOConnect to the most recent version, which has the latest security updates.
Other Useful Resources
- Operating system, host, and network effects on overall security: KB 7021969.
- Report a potential security vulnerability in an Attachmate product to Attachmate: https://www.microfocus.com/security.
- Check on the product support lifecycle status of your Attachmate software: https://support.microfocus.com/programs/lifecycle/.
- Review security updates for other Attachmate products: https://support.microfocus.com/security/.
- Information about Attachmate products and FIPS 140-2: KB 7021285.
Java and INFOConnect
INFOConnect does not use Java except in the following instance: if you have also purchased Reflection Administrator, Reflection for the Web, or Reflection Security Gateway (available Fall 2013) and use the Administrative WebStation to deploy INFOConnect sessions, a browser with a Java plug-in is required to launch those sessions. It is therefore important for you to stay current with Java as Oracle releases updates that may affect your environment.
For more information about Java and INFOConnect, see KB 7021973.
Security Alerts and Advisories
The following security alerts and advisories may affect your product installation, or the security of your operating system or network environment. We recommend that you review these alerts and advisories.
Note: This information is non-inclusive—it does not attempt to address all security issues that may affect your system.
IMPORTANT REMINDER: The security for all of the Attachmate products using the Attachmate security features depends upon the security of the operating system, host, and network environment. We strongly recommend that you evaluate and implement all relevant security service packs, updates, and patches recommended by your operating system, host, and network manufacturers. For more information, see KB 7021969.
Alert | OpenSSL Null Pointer Dereference Vulnerability (CVE-2015-0289) |
Date Posted | August 2015 |
Summary | Certain OpenSSL versions allow attackers to cause a denial of service (crash) by providing malformed PKCS#7 data. |
Product Status | This issue affects Enterprise Edition versions 9.2.1.2728 and earlier, and Airlines Gateway versions 3.2.1.2728 and earlier. This issue is addressed beginning in Enterprise Edition version 9.2.1.2735 and Airlines Gateway version 3.2.1.2735. Update to Enterprise Edition 9.2 Service Pack 1 Update 1 (9.2.1.2751) or higher, or Airlines Gateway 3.2 Service Pack 1 Update 1 (3.2.1.2751). Maintained customers can obtain the latest update on the Downloads website. |
Additional Information | For vulnerability details, see the National Vulnerability Database: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0289 |
Alert | OpenSSL Buffer Overflow Vulnerability (CVE-2015-0292) |
Date Posted | August 2015 |
Summary | Certain OpenSSL versions allow remote attackers to cause a denial of service (memory corruption) or possibly other impact by using crafted base64 data that triggers a buffer overflow. |
Product Status | This issue affects Enterprise Edition versions 9.2.1.2728 and earlier, and Airlines Gateway versions 3.2.1.2728 and earlier. This issue is addressed beginning in Enterprise Edition version 9.2.1.2735 and Airlines Gateway version 3.2.1.2735. Update to Enterprise Edition 9.2 Service Pack 1 Update 1 (9.2.1.2751) or higher, or Airlines Gateway 3.2 Service Pack 1 Update 1 (3.2.1.2751). Maintained customers can obtain the latest update on the Downloads website. |
Additional Information | For vulnerability details, see the National Vulnerability Database: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0292 |
Alert | Diffie-Hellman Logjam Vulnerabilities (CVE-2015-4000) |
Date Posted | August 2015 |
Summary | With TLS protocol 1.2, if DHE_EXPORT ciphersuite is supported by the server, man-in-the-middle attackers can conduct cipher-downgrade attacks. Additionally, with any TLS or SSH connection that uses weaker DH Groups (1024 bits or less) for key exchange, an attacker can passively eavesdrop and decrypt sessions. |
Product Status | This issue affects Enterprise Edition versions 9.2.1.2728 and earlier, and Airlines Gateway versions 3.2.1.2728 and earlier. This issue is addressed beginning in Enterprise Edition version 9.2.1.2735 and Airlines Gateway version 3.2.1.2735. Update to Enterprise Edition 9.2 Service Pack 1 Update 1 (9.2.1.2751) or higher, or Airlines Gateway 3.2 Service Pack 1 Update 1 (3.2.1.2751). Maintained customers can obtain the latest update on the Downloads website. Export-grade ciphers are not supported with default encryption strength, and DH Group Exchange is requested with the highest preference. However, to avoid this vulnerability: * Disable diffie-hellman-group1-sha1 in Key Exchange Algorithms. * Verify your SSH server does not return a weak DH Group when Group Exchange is requested. |
Additional Information | For vulnerability details, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4000 |
Alert | OpenSSL Client RSA Silent Downgrade Vulnerability (CVE-2015-0204) |
Date Posted | June 2015, Updated August 2015 |
Summary | Certain OpenSSL client versions accept the use of a weak temporary export-grade key in a non-export RSA ciphersuite key exchange, thus enabling RSA-to-EXPORT_RSA downgrade attacks. The weakened encryption facilitates brute-force decryption ("FREAK" attack). |
Product Status | This issue affects InfoConnect Enterprise Edition versions 9.2.1.2708 and earlier and Airlines Gateway 3.2 Service Pack 1 (3.2.1.2691) and earlier. This issue is resolved beginning in Enterprise Edition version 9.2.1.2721 and Airlines Gateway version 3.2.1.2728. Maintained customers can obtain InfoConnect 9.2 SP1 Update 1 (9.2.1.2751) on the Downloads website, or contact Technical Support to obtain the Airlines Gateway hotfix. |
Additional Information | For vulnerability details, see the National Vulnerability Database: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0204 |
Alert | Stack Buffer Overflow Remote Code Execution Vulnerability in Reflection FTP Client (CVE-2014-5211, ZDI-CAN-2475) |
Date Posted | January 2015, Updated August 2015 |
Summary | By sending a carefully crafted response, a malicious FTP server can cause a stack buffer overflow in the Reflection FTP Client. |
Product Status | This issue affects INFOConnect Enterprise Edition versions 9.2.1.2697 or earlier, which include Reflection FTP Client 14.1.429 or earlier (as identified in the FTP Client application Help > About dialog). This issue is resolved beginning in InfoConnect version 9.2.1.2700, which includes Reflection FTP Client 14.1.433. InfoConnect 9.2 SP1 Update 1 (9.2.1.2751) includes Reflection FTP Client 14.1 SP4 Update 1 (identified as version 14.1.558 in Help > About after installation). Maintained customers can obtain the latest update on the Downloads website. |
Additional Information | Attachmate would like to thank an anonymous researcher, working with HP's Zero Day Initiative, for the discovery and responsible reporting of this vulnerability. For vulnerability details, see the National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5211 http://www.zerodayinitiative.com/advisories/ZDI-15-008 |
Alert | Multiple Remote Code Execution Vulnerabilities in Reflection FTP Client Through ActiveX Interface (CVE-2014-0603, CVE-2014-0604, CVE-2014-0605) |
Date Posted | July 2014 |
Summary | By sending specially crafted requests to the Reflection FTP Client OLE Automation (COM/ActiveX) API to upload a file to a system specific folder, it is possible for an attacker to execute arbitrary code on the system. |
Product Status | This issue affects INFOConnect Enterprise Edition versions 9.2.0.1182 or earlier, which include Reflection FTP Client 14.1.420.0 or earlier (as identified in the FTP Client application Help > About dialog). This issue is resolved beginning in INFOConnect version 9.2.0.1183, which includes Reflection FTP Client 14.1.429.0 or higher. Upgrade to INFOConnect 9.2 SP1 (version 9.2.1.2691) or higher, available from Attachmate Downloads. |
Additional Information | Attachmate would like to thank Andrea Micalizzi (rgod), working with HP's Zero Day Initiative, for the discovery and responsible reporting of these vulnerabilities. For vulnerability details, see the National Vulnerability Database or Zero Day Initiative: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0603 http://www.zerodayinitiative.com/advisories/ZDI-14-288 http://www.zerodayinitiative.com/advisories/ZDI-14-291 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0604 http://www.zerodayinitiative.com/advisories/ZDI-14-289 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0605 http://www.zerodayinitiative.com/advisories/ZDI-14-290 |
Alert | OpenSSL "CCS Injection" Vulnerability CVE-2014-0224 |
Date Posted | July 2014 |
Summary | A vulnerability in OpenSSL could allow an attacker with a man-in-the-middle vantage point on the network to decrypt or modify traffic. |
Product Status | This issue affects INFOConnect Enterprise Edition versions 9.2.0.1182 or earlier, and Airlines Gateway version 3.2.0.1166 or earlier. This issue is resolved beginning in INFOConnect version 9.2.0.1183 and Airlines Gateway 3.2.0.1183. Upgrade to Enterprise Edition 9.2 SP1 (9.2.1.2691) or Airlines Gateway 3.2 SP1 (3.2.1.2691) or higher, available from Attachmate Downloads. |
Additional Information | For details and the latest information on mitigations, see the following: CERT-CC Vulnerability Note VU#978508: http://www.kb.cert.org/vuls/id/978508 National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 |
Alert | OpenSSL "Heartbleed" Vulnerability CVE-2014-0160 |
Date Posted | April 2014 |
Summary | A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys, through incorrect memory handling in the TLS heartbeat extension. |
Product Status | This issue does not affect INFOConnect; however, the Reflection FTP Client included with INFOConnect 9.2 is affected, but only when making TLS 1.2 connections to a malicious server. This issue has been resolved in Reflection FTP Client included with INFOConnect 9.2 Hotfix 5 (9.2.0.1172) or higher. Upgrade to INFOConnect 9.2 SP1 (version 9.2.1.2691) or higher, available from Attachmate Downloads. |
Additional Information | For details and the latest information on mitigations, see the following: US-CERT Technical Alert: https://www.us-cert.gov/ncas/alerts/TA14-098A CERT-CC Vulnerability Note VU#720951: http://www.kb.cert.org/vuls/id/720951 National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 |
Alert | OpenSSL ASN1 BIO Denial of Service Vulnerability CVE-2012-2110 |
Date Posted | June 2013 - Modified August 2012 |
Summary | An ASN.1 input function does not properly interpret integer data, which allows local attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption), via crafted DER data, as demonstrated by an X.509 certificate. |
Product Status | This issue is resolved in INFOConnect 9.1.1.2202 or higher. Upgrade to INFOConnect 9.2 or higher, available from Attachmate Downloads. |
Additional Information | For details, see the National Vulnerability Database site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2110. |
Alert | Vulnerability Summary for CVE-2013-0422 |
Date Posted | January 2013 |
Summary | Oracle Java 7 Update 10 or earlier allows remote attackers to execute arbitrary code as exploited "in the wild" and demonstrated by exploit tools such as Blackhole and Nuclear Pack. Note: Oracle states that Java 6 is not affected. According to Oracle, to be successfully exploited, an unsuspecting user running an affected release in a browser needs to visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user's system. These vulnerabilities are not applicable to Java running on servers or within applications. |
Product Status | INFOConnect products are not subject to this vulnerability, however, INFOConnect sessions configured using the Administrative WebStation (included in Reflection Administrator, Reflection Security Gateway, and Reflection for the Web, sold separately from INFOConnect) require that INFOConnect be launched from a browser with a Java plug-in enabled. It is this JRE plug-in and Java Web Start that can be exploited, not INFOConnect. To launch sessions using the login/links page and minimize the risk described in this vulnerability, you should refer to the latest information provided by Oracle and install a version of Java that addresses this vulnerability. |
Additional Information | For details, see the National Vulnerability Database at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422 and Oracle's site at http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html. |
Alert | OpenSSL Block Cipher Padding Vulnerability CVE-2011-4576 |
Date Posted | March 2012 |
Summary | The SSL 3.0 implementation in the INFOConnect SSL client does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer. |
Product Status | The issue is resolved beginning with INFOConnect 9.1 SP1 and Airlines Gateway 3.1 SP1. Note that support for SSL 3.0 is available beginning with INFOConnect 9.1.0.1197. |
Additional Information | For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4576. |
Alert | Heap Overflow in Reflection FTP Client |
Date Posted | March 2012 |
Summary | Reflection FTP Client is subject to a heap overflow that could result in remote code execution at the authenticated user's privilege level. The vulnerability requires a user to connect to a malicious FTP server and interact with a specially crafted file. |
Product Status | This issue is resolved beginning with the Reflection FTP Client (14.1.183.0) included with INFOConnect 9.1 SP1 or higher. |
Additional Information | Attachmate would like to thank Francis Provencher of Protek Research Labs for discovering and reporting the vulnerability. |
Alert | FTP Client Directory Traversal Vulnerability CVE-2010-3096 |
Date Posted | March 2011 |
Summary | Numerous FTP clients have reported a directory traversal vulnerability that allows remote FTP servers to write arbitrary files via "..\" (dot dot backslash) sequences in a filename. |
Product Status | Attachmate INFOConnect products are not subject to this vulnerability |
Additional Information | For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3096. |
Alert | MD2 signed certificate hash collision vulnerability CVE-2009-2409 |
Date Posted | March 2011 |
Summary | Hash collisions in MD2 and MD5 signed certificate signatures have been publicly demonstrated in controlled research laboratories, leading to potential user or server certificate spoofing attacks. |
Product Status | INFOConnect products listed in the Applies To section of this technical note are subject to this vulnerability, although the computation time to generate these certificates is still considered unfeasibly large. Beginning in version 9.1 and Airlines Gateway 3.1 use of MD2 or MD5 signed intermediate Certification Authority certificates is no longer allowed by default, but can be configured if needed for legacy certificate chain validation. |
Additional Information | This issue is similar to the vulnerability described in CVE-2009-2409, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2409. |
Alert | Null Truncation in X.509 Common Name Vulnerability CVE-2009-2408 |
Date Posted | March 2011 |
Summary | Attackers could acquire a server certificate containing NULL (\0) characters in the Subject's Common Name field of an x.509 certificate issued by a legitimate Certificate Authority that could allow man-in-the-middle attacks that spoof legitimate servers. |
Product Status | INFOConnect products listed in the Applies To section of this technical note are subject to this vulnerability. Beginning in version 9.1 and Airlines Gateway 3.1 all attribute fields used to authenticate the host (namely, the Subject Common Name and SubjectAlternativeName fields) are checked for illegal (non-printable) characters, and the certificate is rejected if any are found. |
Additional Information | This issue is similar to the vulnerability described in CVE-2009-2408, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2408. |
Alert | OpenSSL cryptographic message syntax vulnerability CVE-2010-742 |
Date Posted | June 2010 |
Summary | The Cryptographic Message Syntax (CMS) implementation in crypto/cms/cms_asn1.c in OpenSSL before 0.9.8o and 1.x before 1.0.0a does not properly handle structures that contain OriginatorInfo, which allows context-dependent attackers to modify invalid memory locations or conduct double-free attacks, and possibly execute arbitrary code, via unspecified vectors. |
Product Status | Attachmate INFOConnect products are not subject to this vulnerability. |
Additional Information | For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0742. |
Alert | OpenSSL RSA verification recovery vulnerability CVE-2010-1633 |
Date Posted | June 2010 |
Summary | RSA verification recovery in the EVP_PKEY_verify_recover function in OpenSSL 1.x before 1.0.0a, as used by pkeyutl and possibly other applications, returns uninitialized memory upon failure, which might allow context-dependent attackers to bypass intended key requirements or obtain sensitive information via unspecified vectors. |
Product Status | Attachmate INFOConnect products are not subject to this vulnerability. |
Additional Information | For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1633. |
Alert | US-CERT Technical Cyber Security Alert TA09-209A |
Date Posted | 28-July-2009 |
Summary | Vulnerabilities present in the Microsoft Active Template Library (ATL) can cause vulnerabilities in the resulting ActiveX controls and COM components, as described in Microsoft Security Bulletin MS09-035 and Microsoft Security Advisory 973882. Any ActiveX control or COM component that was created with a vulnerable version of the ATL may be vulnerable. |
Product Status | After a review of the ActiveX controls in INFOConnect, we have determined that INFOConnect is not affected by these ATL vulnerabilities. Be sure to apply all Microsoft ATL critical patches to your systems as described in Microsoft Security Bulletin MS09-035, http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx. |
Additional Information | For details, see the US-CERT web site at http://www.us-cert.gov/cas/techalerts/TA09-209A.html. |
Alert | Announcement of Successful Cryptanalytic Attack on SHA-1 |
Summary | Three Chinese cryptanalysts from Shandong University have recently documented a successful cryptanalytic attack on the SHA-1 algorithm. |
Product Status | INFOConnect products primarily use SHA-1 to create HMACs (Keyed Hashing for Message Authentication), for verification of message integrity. According to Schneier, because hash collisions are not a prominent concern, this use of SHA-1 is not affected by the cryptanalytic attack. (For further details, read the blog posting at http://www.schneier.com/blog/archives/2005/02/sha1_broken.html.) In the next several versions of products that use the SHA-1 algorithm, all vendors—including Attachmate, will likely move to phase out the use of SHA-1 hashes for use in digital signatures and add support for SHA-256 and other stronger hashing algorithms. |
Additional | Bruce Schneier, the author of "Applied Cryptography," discusses this announcement on his blog, Schneier on Security. For commentary on this topic, see Mr. Schneier's blog at http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html. |
Notice: This technical note is updated from time to time and is provided for informational purposes only. Attachmate makes no representation or warranty that the functions contained in our software products will meet your requirements or that the operation of our software products will be interruption or error free. Attachmate EXPRESSLY DISCLAIMS ALL WARRANTIES REGARDING OUR SOFTWARE INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.