Environment
Reflection for Secure IT UNIX Client version 7.0 or higher
Reflection for Secure IT UNIX Server version 7.0 or higher
Reflection for Secure IT Windows Server version 7.0 or higher
Reflection for Secure IT Windows Client version 7.0 or higher
Reflection for Secure IT Gateway version 1.1 or higher
Reflection for Secure IT UNIX Server version 7.0 or higher
Reflection for Secure IT Windows Server version 7.0 or higher
Reflection for Secure IT Windows Client version 7.0 or higher
Reflection for Secure IT Gateway version 1.1 or higher
Situation
This technical note describes security issues related to the Reflection for Secure IT products listed in the Applies To section. If you rely on the security features of these products, you should consult this technical note on a regular basis for any updated information regarding these features.
Other Useful Resources
- Operating system, host, and network effects on overall security: KB 7021969.
- Report a potential security vulnerability in an Attachmate product to Attachmate: https://www.microfocus.com/security.
- Check on the product support lifecycle status of your Attachmate software: https://support.microfocus.com/programs/lifecycle/.
- Review security updates for other Attachmate products: https://support.microfocus.com/security/.
- Information about Attachmate products and FIPS 140-2: KB 7021285.
- Information about Reflection PKI Services Manager: Security Alerts - Reflection PKI Services Manager.
Java and Reflection for Secure IT
In this product family, Reflection for Secure IT Gateway uses Java; the other Reflection for Secure IT products do not use Java.
Reflection for Secure IT Gateway contains both a Java Server and a Java applet (the Transfer Client).
- The installer for the Reflection Gateway services installs a private server JRE that is updated when Reflection for Secure IT Gateway releases; this may occur with a hotfix, service pack, or full release. You can also manually update the JRE.
- The optional applet is signed by a CA-issued certificate and served via HTTPS.
For more information about Java and Reflection for Secure IT, see KB 7021973.
Resolution
Security Alerts and Advisories
The following security alerts and advisories may affect your product installation, or the security of your operating system or network environment. We recommend that you review these alerts and advisories.
Note: This information is non-inclusive—it does not attempt to address all security issues that may affect your system.
IMPORTANT REMINDER: The security for all of the Attachmate products using the Attachmate security features depends upon the security of the operating system, host, and network environment. We strongly recommend that you evaluate and implement all relevant security service packs, updates, and patches recommended by your operating system, host, and network manufacturers. For more information, see KB 7021969.
| Alert |
OpenSSH (CVE-2017-1908) |
| Date Posted |
August 2017 |
| Summary |
The client in OpenSSH before 7.2
mishandles failed cookie generation for untrusted X11 forwarding and
relies on the local X11 server for access-control decisions, which
allows remote X11 clients to trigger a fallback and obtain trusted X11
forwarding privileges. |
| Product Status |
Client and Server for UNIX: This issue is addressed beginning in version 8.0 SP2 Update 1 (8.0.2.146). Maintained customers can obtain the latest release from the Downloads website. |
| Additional Information |
For vulnerability details, see the National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2016-1908 |
| Alert |
Multiple OpenSSL Vulnerabilities |
| Date Posted |
March 2017, Updated July 2017 |
| Summary |
Multiple OpenSSL issues have been
addressed in the latest OpenSSL version. We recommend that you upgrade
to the latest version of Reflection for Secure IT Server for Windows and
Reflection for Secure IT Client and Server for UNIX, available from the
Downloads website. |
| Version Affected |
Server for Windows: Version 8.2.1090 contains the latest OppenSSL Cryptographic Module that includes OpenSSL release 1.0.2k. Client and Server for UNIX: Version 8.0.2.138 contains the latest OpenSSL Cryptographic Module that includes OpenSSL release 1.0.2k. Maintained customers can obtain the latest release from the Downloads website. |
| Additional Information |
For vulnerability details, see https://www.openssl.org/news/secadv/20160503.txt. |
| Alert |
OpenSSH (CVE-2016-10009) |
| Date Posted |
March 2017 |
| Summary |
Untrusted search path vulnerability in
ssh-agent.c in ssh-agent in OpenSSH before 7.4 allows remote attackers
to execute arbitrary local PKCS#11 modules by leveraging control over a
forwarded agent-socket. |
| Product Status |
Client and Server for UNIX: This issue is addressed beginning in version 8.0.2.138. Maintained customers can obtain the latest release from the Downloads website. |
| Additional Information |
For vulnerability details, see the National Vulnerability Database: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10009 |
| Alert |
OpenSSH (CVE-2016-10012) |
| Date Posted |
March 2017 |
| Summary |
The shared memory manager (associated
with pre-authentication compression) in sshd in OpenSSH before 7.4 does
not ensure that a bounds check is enforced by all compilers, which might
allows local users to gain privileges by leveraging access to a
sandboxed privilege-separation process, related to the m_zback and
m_zlib data structures. |
| Product Status |
Server for UNIX: This issue is addressed beginning in version 8.0.2.138. Maintained customers can obtain the latest release from the Downloads website. |
| Additional Information |
For vulnerability details, see the National Vulnerability Database: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10012 |
| Alert |
OpenSSH Password Length Denial of Service Vulnerability (CVE-2016-6515) |
| Date Posted |
September 2016 |
| Summary |
The auth_password function in
auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password
lengths for password authentication, which allows remote attackers to
cause a denial of service (crypt CPU consumption) via a long string. |
| Product Status |
Server for UNIX: This issue is addressed beginning in version 8.0.2.125. Maintained customers can obtain the latest release from the Downloads website. |
| Additional Information |
For vulnerability details, see the National Vulnerability Database: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6515 |
| Alert |
OpenSSH UseLogin Privilege Escalation Vulnerability (CVE-2015-8325) |
| Date Posted |
May 2016 |
| Summary |
The do_setup_env function in OpenSSH,
when the UseLogin feature is enabled and PAM is configured, allows local
users to gain privileges by triggering a crafted environment for
/bin/login program. |
| Product Status |
Server for UNIX: This issue is addressed beginning in version 8.0.2.120. Maintained customers can obtain the latest release from the Downloads website. |
| Additional Information |
For vulnerability details, see the National Vulnerability Database: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8325 |
| Alert |
Multiple OpenSSL Vulnerabilities |
| Date Posted |
May 2016 |
| Summary |
Multiple OpenSSL issues have been
addressed in the latest OpenSSL version. We recommend that you upgrade
to the latest version of Reflection for Secure IT Client and Server for
UNIX, available from the Downloads website. |
| Version Affected |
Client and Server for UNIX: Version
8.0.2.120 contains the latest OpenSSL Cryptographic Module that includes
OpenSSL release 1.0.2h. Maintained customers can obtain the latest
release from the Downloads website. |
| Additional Information |
For vulnerability details, see https://www.openssl.org/news/secadv/20160503.txt. |
| Alert |
OpenSSH xauth Command Injection Vulnerability |
| Date Posted |
March 2016 |
| Summary |
Missing sanitization of untrusted input
allows an authenticated user who is able to request X11 forwarding to
inject commands to xauth(1). |
| Product Status |
Server for UNIX: This issue is addressed beginning in version 8.0 Service Pack 2. Maintained customers can obtain the latest release from the Downloads website. |
| Additional Information |
For vulnerability details, see the National Vulnerability Database: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3115 |
| Alert |
Multiple OpenSSL Vulnerabilities |
| Date Posted |
March 2016 |
| Summary |
Multiple OpenSSL issues have been
addressed in the latest OpenSSL version. We recommend that you upgrade
to the latest version of Reflection for Secure IT Client and Server for
UNIX, available from the Downloads website. |
| Version Affected |
Reflection for Secure IT Client and
Server for UNIX 8.0 Service Pack 2 contains the latest OpenSSL
Cryptographic Module that includes OpenSSL release 1.0.2g. Maintained
customers can download the latest release from the Downloads site. |
| Additional Information |
For vulnerability details, see https://www.openssl.org/news/secadv/20160301.txt. |
| Alert |
OpenSSH Keyboard-Interactive Devices Vulnerability (CVE-2015-5600) |
| Date Posted |
March 2016 |
| Summary |
The kbdint_next_device function in
auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict
the processing of keyboard-interactive devices within a single
connection, which makes it easier for remote attackers to conduct
brute-force attacks or cause a denial of service (CPU consumption). |
| Product Status |
Server for UNIX: This issue is
addressed beginning in version 8.0 Service Pack 2. Maintained customers
can obtain the latest release from the Downloads website. |
| Additional Information |
For vulnerability details, see the National Vulnerability Database: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5600. |
| Alert |
OpenSSH X11 Bypass Vulnerability (CVE-2015-5352) |
| Date Posted |
March 2016 |
| Summary |
The x11_open_helper function in ssh,
when forward-x11-trusted mode is not used, lacks a check of the refusal
deadline for X connections, which makes it easier for remote attackers
to bypass intended access restrictions. |
| Product Status |
Client and Server for UNIX: This issue
is addressed beginning in version 8.0 Service Pack 2. Maintained
customers can obtain the latest release from the Downloads website. |
| Additional Information |
For vulnerability details, see the National Vulnerability Database: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5352. |
| Alert |
glibc Stack-based Buffer Overflow Vulnerability (CVE-2015-7547) |
| Date Posted |
February 2016 |
| Summary |
The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() function is used. |
| Product Status |
Client and Server for UNIX: The Client
and Server (which contains the Client) are subject to this
vulnerability when run on Red Hat Enterprise Linux and SUSE Linux
Enterprise Server platforms if the GNU C Library (glibc) installed on
the system is version 2.9 or greater. For information on how to update your Red Hat system, see https://access.redhat.com/security/cve/cve-2015-7547. For information on how to update your SUSE system, see https://www.suse.com/support/update/announcement/2016/suse-su-20160471-1.html. |
| Additional Information |
For vulnerability details, see: https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html. |
| Alert |
Diffie-Hellman Logjam Vulnerabilities (CVE-2015-4000) |
| Date Posted |
June 2015; Updated August 2015; Updated October 2015 |
| Summary |
With TLS protocol 1.2, if DHE_EXPORT
ciphersuite is supported by the server, man-in-the-middle attackers can
conduct cipher-downgrade attacks. Additionally, with any TLS or SSH
connection that uses weaker DH Groups (1024 bits or less) for key
exchange, an attacker can passively eavesdrop and decrypt sessions. |
| Product Status |
Client and Server for UNIX: This issue is addressed beginning in version 8.0.1.74. Maintained customers can obtain the latest release from the Downloads website. Server for Windows: This issue is addressed beginning in version 8.2.131. Maintained customers can download the latest release from the Downloads site. In new product installations, DH Group1 Key Exchanges are disabled by default. After upgrading an existing installation, disable Group1 Exchanges as follows: 1. Open the Reflection for Secure IT Server from the Start menu. 2. Click Configuration > Encryption > Key Exchange and click the Restore pane defaults link. 3. Click Yes to reset then File > Save Settings. Client for Windows: This issue is addressed beginning in version 7.2.4290 (identified as version 7.2.595 or higher in Help > About after installation). Maintained customers can obtain the latest update from the Downloads website. Export-grade ciphers are not supported with default encryption strength, and DH Group Exchange is requested with the highest preference. However, to avoid this vulnerability: * Disable diffie-hellman-group1-sha1 in Key Exchange Algorithms. * Verify your SSH server does not return a weak DH Group when Group Exchange is requested. |
| Additional Information |
For vulnerability details, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4000 |
| Alert |
OpenSSL Null Pointer Dereference Vulnerability (CVE-2015-0289) |
| Date Posted |
June 2015; Updated October 2015 |
| Summary |
Certain OpenSSL versions allow attackers to cause a denial of service (crash) by providing malformed PKCS#7 data. |
| Product Status |
Client and Server for UNIX: This issue is addressed beginning in version 8.0.1.74. Maintained customers can obtain the latest release from the Downloads website. Server for Windows: This issue is addressed beginning in version 8.2.131. Maintained customers can download the latest release from the Downloads site. Client for Windows: This issue affects Windows Client versions 7.2.4275 and earlier (identified as version 7.2.581 and earlier in Help > About). This issue is addressed beginning in version 7.2.4290 (identified as version 7.2.595 or higher in Help > About after installation). Maintained customers can obtain the latest update from the Downloads website. |
| Additional Information |
For vulnerability details, see the National Vulnerability Database: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0289 |
| Alert |
OpenSSL Buffer Overflow Vulnerability (CVE-2015-0292) |
| Date Posted |
June 2015; Updated October 2015 |
| Summary |
Certain OpenSSL versions allow remote
attackers to cause a denial of service (memory corruption) or possibly
other impact by using crafted base64 data that triggers a buffer
overflow. |
| Product Status |
Client and Server for UNIX: This issue is addressed beginning in version 8.0.1.74. Maintained customers can obtain the latest release from the Downloads website. Server for Windows: This issue is addressed beginning in version 8.2.131. Maintained customers can download the latest release from the Downloads site. Client for Windows: This issue affects Windows Client versions 7.2.4275 and earlier (identified as version 7.2.581 and earlier in Help > About). This issue is addressed beginning in version 7.2.4290 (identified as version 7.2.595 or higher in Help > About after installation). Maintained customers can obtain the latest update from the Downloads website. |
| Additional Information |
For vulnerability details, see the National Vulnerability Database: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0292 |
| Alert |
OpenSSH PAM Impersonation Vulnerability (CVE-2015-6563) |
| Date Posted |
October 2015 |
| Summary |
The monitor component in sshd in
OpenSSH versions accepts extraneous username data in PAM requests which
allows local users to conduct impersonation attacks by leveraging any
SSH login access in conjunction with control of the sshd uid to send a
crafted PAM monitor request. |
| Product Status |
Client and Server for UNIX: This issue is addressed beginning in version 8.0.1.74. Maintained customers can obtain the latest release from the Downloads website. |
| Additional Information |
For vulnerability details, see the National Vulnerability Database: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6563 |
| Alert |
OpenSSH PAM Use-after-free Vulnerability (CVE-2015-6564) |
| Date Posted |
October 2015 |
| Summary |
A use-after-free vulnerability in the
PAM monitor in sshd in OpenSSH versions might allow local users to gain
privileges by leveraging control of the sshd uid to send an unexpectedly
early PAM free request. |
| Product Status |
Client and Server for UNIX: This issue is addressed beginning in version 8.0.1.74. Maintained customers can obtain the latest release from the Downloads website. |
| Additional Information |
For vulnerability details, see the National Vulnerability Database: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6564 |
| Alert |
Multiple OpenSSL Vulnerabilities |
| Summary |
Multiple OpenSSL issues have been
addressed in the latest OpenSSL version. We recommend that you upgrade
to the latest version of Reflection for Secure IT Server for Windows,
available from the Attachmate Downloads. |
| Date Posted and Version Affected |
June 2015
– Reflection for Secure IT Server for Windows 8.2 hotfix build 131
contains the latest OpenSSL Cryptographic Module that includes OpenSSL
release 1.0.1m. Maintained customers can download the latest hotfix from
the Attachmate Downloads site. |
| Date Posted and Version Affected |
October 2014
– Reflection for Secure IT Server for Windows 8.2 contains the latest
OpenSSL Cryptographic Module that includes OpenSSL release 1.0.1i. |
| Additional Information |
For vulnerability details, see https://www.openssl.org/news/secadv_20140806.txt. |
| Alert |
OpenSSL Client RSA Silent Downgrade Vulnerability (CVE-2015-0204) |
| Date Posted |
June 2015 |
| Summary |
Certain OpenSSL client versions accept
the use of a weak temporary export-grade key in a non-export RSA
ciphersuite key exchange, thus enabling RSA-to-EXPORT_RSA downgrade
attacks. The weakened encryption facilitates brute-force decryption
("FREAK" attack). |
| Product Status |
Although SSH connections are not
affected, this issue affects TLS/SSL connections in Reflection FTP
Client 14.1.528 or earlier (identified in the FTP Client application
Help > About dialog), which is included with Windows Client 7.2
Service Pack 4 (version 7.2.4254) and earlier (identified as version
7.2.573 and earlier in Help > About). This issue is resolved in Windows Client versions 7.2.4273 and higher (identified as version 7.2.579 and higher in Help > About), which includes. Reflection FTP Client version 14.1.533 or higher. Maintained customers can obtain the latest update from the Downloads website. |
| Additional Information |
For vulnerability details, see the National Vulnerability Database: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0204 |
| Alert |
Stack Buffer Overflow Remote Code Execution Vulnerability in Reflection FTP Client (CVE-2014-5211) |
| Date Posted |
January 2015 |
| Summary |
By sending a carefully crafted response, a malicious FTP server can cause a stack buffer overflow in the Reflection FTP Client. |
| Product Status |
This issue affects Windows Client
versions 7.2.3233 or earlier (identified as version 7.2.468 or earlier
in Help > About), which includes Reflection FTP Client 14.1.429 or
earlier (as identified in the FTP Client application Help > About
dialog). This issue is resolved beginning in Windows Client version 7.2.3241 (identified as version 7.2.472 or higher in Help > About), which includes Reflection FTP Client 14.1.433 or higher. Update to Windows Client 7.2 SP4 (version 7.2.4254) or higher from Attachmate Downloads to resolve the issue. |
| Additional Information |
Attachmate would like to thank an
anonymous researcher, working with HP's Zero Day Initiative, for the
discovery and responsible reporting of this vulnerability. For vulnerability details, see the National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5211 http://www.zerodayinitiative.com/advisories/ZDI-15-008. |
| Alert |
Multiple Remote Code Execution
Vulnerabilities in Reflection FTP Client Through ActiveX Interface
(CVE-2014-0603, CVE-2014-0604, CVE-2014-0605) |
| Date Posted |
August 2014 |
| Summary |
By sending specially crafted requests
to the Reflection FTP Client OLE Automation (COM/ActiveX) API to upload a
file to a system specific folder, it is possible for an attacker to
execute arbitrary code on the system. |
| Product Status |
This issue affects Windows Client
versions 7.2.3228 or earlier (identified as version 7.2.465 or earlier
in Help > About), which includes Reflection FTP Client 14.1.426 or
earlier (as identified in the FTP Client application Help > About
dialog). This issue is resolved beginning in Windows Client version 7.2.3233 (identified as version 7.2.468 or higher in Help > About), which includes Reflection FTP Client 14.1.429 or higher. Update to Windows Client 7.2 SP4 (version 7.2.4254) or higher from Attachmate Downloads to resolve the issue. |
| Additional Information |
Attachmate would like to thank Andrea
Micalizzi (rgod), working with HP's Zero Day Initiative, for the
discovery and responsible reporting of these vulnerabilities. For vulnerability details, see the National Vulnerability Database or Zero Day Initiative: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0603 http://www.zerodayinitiative.com/advisories/ZDI-14-288 http://www.zerodayinitiative.com/advisories/ZDI-14-291 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0604 http://www.zerodayinitiative.com/advisories/ZDI-14-289 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0605 http://www.zerodayinitiative.com/advisories/ZDI-14-290 |
| Alert |
OpenSSL "CCS Injection" Vulnerability CVE-2014-0224 |
| Date Posted |
August 2014 |
| Summary |
A vulnerability in OpenSSL could allow
an attacker with a man-in-the-middle vantage point on the network to
decrypt or modify traffic. |
| Product Status |
This issue affects Reflection FTP
Client 14.1.426 or earlier included with Reflection for Secure IT
Windows Client 7.2.3228 or earlier (identified as version 7.2.465 or
earlier in Help > About), but only when making SSL 3.0, TLS 1.0 or
TLS 1.2 connections. This issue is resolved beginning in Windows Client version 7.2.3233 (identified as version 7.2.468 or higher in Help > About), which includes Reflection FTP Client 14.1.429 or higher. Update to Windows Client 7.2 SP4 (version 7.2.4254) or higher from Attachmate Downloads to resolve the issue. |
| Additional Information |
For details and the latest information on mitigations, see the following: CERT-CC Vulnerability Note VU#978508: http://www.kb.cert.org/vuls/id/978508 National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 |
| Alert |
OpenSSL ASN1 BIO Denial of Service Vulnerability CVE-2012-2110 |
| Date Posted |
May 2013 - Modified November 2012 - Modified June 2012 - Modified May 2012 |
| Summary |
An ASN.1 input function does not
properly interpret integer data, which allows remote attackers (on the
Reflection for Secure IT servers) or local attackers (on the Reflection
for Secure IT clients) to conduct buffer overflow attacks, and cause a
denial of service (memory corruption), via crafted DER data, as
demonstrated by an X.509 certificate. |
| Product Status |
This issue is resolved
beginning in Reflection for Secure IT Windows Server version 7.2+SP1
Update 1 (7.2.752), and Reflection for Secure IT UNIX Client and Server
version 7.2+SP1 Update 1 (7.2.1.94). Upgrade to version 8.0, available
from the Download Library. This issue is resolved in Reflection for Secure IT Windows Client 7.2. 2197. Upgrade to Reflection for Secure IT Windows Client 7.2 SP3 or higher, available from the Download Library. |
| Additional Information |
For details, see the National Vulnerability Database site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2110. |
| Alert |
Vulnerability Summary for CVE-2013-0422 |
| Date Posted |
January 2013 |
| Summary |
Oracle Java 7 Update 10 or earlier
allows remote attackers to execute arbitrary code as exploited "in the
wild" and demonstrated by exploit tools such as Blackhole and Nuclear
Pack. Note: Oracle states that Java 6 is not affected. According to Oracle, to be successfully exploited, an unsuspecting user running an affected release in a browser needs to visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user's system. These vulnerabilities are not applicable to Java running on servers or within applications. |
| Product Status |
Reflection for Secure IT products are not subject to this vulnerability,
however, the Web Edition Transfer Client requires a Java plug-in. It is
this JRE plug-in that can be exploited, not the Transfer Client. To
enable use of the Transfer Client and minimize the risk described in
this vulnerability, you should refer to the latest information provided
by Oracle and install a version of Java that addresses this
vulnerability. |
| Additional Information |
For details, see the National Vulnerability Database at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422 and Oracle's site at http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html. |
| Alert |
Vulnerability CVE-2011-5000 |
| Date Posted |
November 2012 |
| Summary |
The ssh_gssapi_parse_ename function in
gss-serv.c in OpenSSH 5.8 and earlier, when gssapi-with-mic
authentication is enabled, allows remote authenticated users to cause a
denial of service (memory consumption) via a large value in a certain
length field. There may be limited scenarios in which this issue is
relevant. |
| Product Status |
This issue is resolved beginning in Reflection for Secure IT 8.0 Server for UNIX. This issue does not affect Reflection for Secure IT Server for Windows or Reflection for Secure IT Clients. |
| Additional Information |
For details, see the National Vulnerability Database site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-5000. |
| Alert |
OpenSSL Integer Underflow Vulnerability CVE-2012-2333 |
| Date Posted |
May 2012 |
| Summary |
Integer underflow in OpenSSL before
0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS
1.2, or DTLS is used with CBC encryption, allows remote attackers to
cause a denial of service (buffer over-read) or possibly have
unspecified other impact via a crafted TLS packet that is not properly
handled during a certain explicit initialization vector calculation. |
| Product Status |
This issue does not affect Reflection for Secure IT products. |
| Additional Information |
For details, see the National Vulnerability Database site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2333. |
| Alert |
Heap Overflow in Reflection FTP Client |
| Date Posted |
April 2012 - Modified November 2011 |
| Summary |
The Reflection FTP Client is subject to
a heap overflow that could result in remote code execution at the
authenticated user's privilege level. The vulnerability requires a user
to connect to a malicious FTP server and interact with a specially
crafted file. |
| Product Status |
The Reflection FTP Client included with
Reflection Windows Client 7.2 Service Pack 1 (7.2.1163) or earlier
versions is subject to this vulnerability. This issue is resolved beginning in version 7.2.1186. Upgrade to Reflection 7.2 SP2 or higher. This issue does not affect Reflection for Secure IT Windows Server, UNIX Server, or UNIX Client. |
| Additional Information |
Attachmate would like to thank Francis Provencher of Protek Research Labs for discovering and reporting the vulnerability. |
| Alert |
Vulnerability Summary for CVE-2010-3190 |
| Date Posted |
June 2011 |
| Summary |
Untrusted search path vulnerability in
the Microsoft Foundation Class (MFC) Library in Microsoft Visual Studio
.NET 2003 SP1; Visual Studio 2005 SP1, 2008 SP1, and 2010; and Visual
C++ 2005 SP1, 2008 SP1, and 2010 allows local users to gain privileges
via a Trojan horse dwmapi.dll file in the current working directory
during execution of an MFC application such as AtlTraceTool8.exe (aka
ATL MFC Trace Tool), as demonstrated by a directory that contains a TRC,
cur, rs, rct, or res file, aka "MFC Insecure Library Loading
Vulnerability." |
| Product Status |
Beginning in version 7.2 SP1, Reflection for Secure IT Windows Server, this issue has been resolved
by updating Microsoft Redistributable Library files for the untrusted
search path vulnerability. Note: This issue does not affect Reflection
for Secure IT UNIX Client or Server. |
| Additional Information |
For details, see the National Vulnerability Database at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3190. |
| Alert |
Vulnerability CVE-2009-2408 |
| Date Posted |
June 2011 |
| Summary |
Many applications using x.509v3
certificates for authentication do not properly handle a '\0' character
in a domain name in the subject's Common Name (CN) field of an X.509
certificate, which allows man-in-the-middle attackers to spoof arbitrary
SSL servers via a crafted certificate issued by a legitimate
Certification Authority. Note: This was originally reported for Mozilla Network Security Services products. |
| Product Status |
Beginning in version 7.2 SP1, this issue is resolved
in Reflection for Secure IT UNIX Server and Client and Reflection for
Secure IT Windows Server. Generating certificate signing requests
(PKCS#10) with the ssh-certtool utility now sanitizes input to CN= and
AltSubjName strings to prevent Kaminsky PKI layer cake attacks. Note:
Beginning in version 7.1, this issue is resolved in Reflection for Secure IT Windows Client. |
| Additional Information |
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2408. |
| Alert |
Vulnerability CVE-2008-0172 |
| Date Posted |
September 2010 |
| Summary |
The get_repeat_type function in
basic_regex_creator.hpp in the Boost regex library (Boost.Regex) in
Boost 1.33 and 1.34 allows context-dependent attackers to cause a denial
of service (NULL dereference and crash) via an invalid regular
expression. |
| Product Status |
Beginning in version 7.2, this issue is resolved
in Reflection for Secure IT UNIX Server and Client. Note: This issue
does not affect Reflection for Secure IT Windows Server or Client. |
| Additional Information |
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0172. |
| Alert |
Vulnerability CVE-2010-1321 |
| Date Posted |
May 2010 |
| Summary |
Certain invalid GSS-API tokens can
cause the MIT Kerberos 5 GSS-API acceptor (server) to crash due to a
null pointer dereference in the GSS-API library. An authenticated remote
attacker can cause a GSS-API application server using the MIT GSS-API
library (including the Reflection for Secure IT UNIX Server) to crash by
sending a malformed GSS-API token that induces a null pointer
dereference. |
| Product Status |
Reflection for Secure IT UNIX Server
and Client versions 7.1 or higher can dynamically link with the
vulnerable library if GSSAPI authentication is enabled. If you use
GSSAPI authentication you need to download (from MIT) and install a
non-vulnerable version of the library, or apply the source code patch
provided by MIT at http://web.mit.edu/kerberos/advisories/2010-005-patch.txt. |
| Additional Information |
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1321. |
| Alert |
Vulnerability CVE-2009-2408 |
| Date Posted |
March 2010 |
| Summary |
An attacker could get a legitimate
Certification Authority to issue a valid certificate containing a '\0'
(NULL) character in the Common Name (CN) or SubjectAlternativeName
fields. The presence of a NULL character could result in a client
accepting a server certificate that appears to be legitimate, but is
not. |
| Product Status |
All versions of the PKI Services
Manager properly handle a NULL character in a domain name in the CN
field identifying the Subject of an X.509 certificate. This means that
the service is not vulnerable to man-in-the-middle attackers
to spoof arbitrary SSL or SSH servers using a crafted certificate
issued by a legitimate Certification Authority (also known as the "Null
Truncation in X.509 Common Name Vulnerability”). |
| Additional Information |
For details of a similar issue, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2408. |
| Alert |
Vulnerability Summary CVE-2009-2409 |
| Date Posted |
March 2010 |
| Summary |
Use of MD2 hashes in X.509 certificates
might allow remote attackers to spoof intermediate CA certificates by
using MD2 design flaws to generate a hash collision in less than
brute-force time. Note: The scope of this issue is currently limited
because the amount of computation required is large. |
| Product Status |
This issue is resolved in
Reflection PKI Services Manager version 1.1 by not accepting MD2 signed
intermediate CA certificates by default. A new setting is available if
you need to enable use of intermediate certificates signed using this
deprecated hash algorithm. From the console, enable "Allow MD2 signed
certificates". Or, in the configuration file, set AllowMD2Certificates =
yes. |
| Additional Information |
For details of a similar issue, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2409. |
| Alert |
US-CERT Technical Cyber Security Alert TA09-209A |
| Date Posted |
28-July-2009 |
| Summary |
Vulnerabilities present in the
Microsoft Active Template Library (ATL) can cause vulnerabilities in the
resulting ActiveX controls and COM components, as described in
Microsoft Security Bulletin MS09-035 and Microsoft Security Advisory
973882. Any ActiveX control or COM component that was created with a
vulnerable version of the ATL may be vulnerable. |
| Product Status |
While Reflection for Secure IT Windows
Server and Reflection for Secure IT Windows Client do not contain
ActiveX controls or COM components, these products do contain the
vulnerable ATL. However, beginning in version 7.1 Service Pack 2, these products now contain the non-vulnerable ATL. |
| Additional Information |
For details, see the US-CERT web site at http://www.us-cert.gov/cas/techalerts/TA09-209A.html. |
| Alert |
Vulnerability Advisory CPNI-957037 |
| Date Posted |
October 2008 |
| Summary |
A design flaw in the SSH protocol use
of block ciphers in cipher block chaining mode could allow an attacker
to recover up to four bytes of plaintext. Although the severity of the
attack is considered high, the likelihood of a successful attack is
considered low and results in terminating the user’s SSH connection. |
| Product Status |
For more information about how this vulnerability affects Attachmate products, see KB 7022040. |
| Additional Information |
For details, see the US-CERT web site at http://www.kb.cert.org/vuls/id/958563. |
| Alert |
Vulnerability Summary CVE-2008-1657 |
| Date Posted |
July 2008 |
| Summary |
OpenSSH 4.4 and other versions before
4.9 allow remote authenticated users to bypass the sshd_config
ForceCommand directive by modifying the .ssh/rc session file. |
| Product Status |
The "ForceCommand" keyword is no longer supported as of Reflection for Secure IT UNIX Server version 7.0 SP1. |
| Additional Information |
For details, see the National Vulnerability Database web site at http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1657. |
| Alert |
Vulnerability Summary CVE-2008-1483 |
| Date Posted |
July 2008 |
| Summary |
OpenSSH 4.3p2, and probably other
versions, allows local users to hijack forwarded X connections by
causing ssh to set DISPLAY to :10, even when another process is
listening on the associated port, as demonstrated by opening TCP port
6010 (IPv4) and sniffing a cookie sent by Emacs. |
| Product Status |
This issue is resolved in Reflection for Secure IT UNIX Client version 7.0 SP1. |
| Additional Information |
For details, see the National Vulnerability Database web site at http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1483. |
| Alert |
Vulnerability Summary CVE-2007-3108 |
| Date Posted |
July 2008 |
| Summary |
OpenSSL cryptography vulnerability that could allow an RSA key to be stolen. |
| Product Status |
This issue is resolved in Reflection for Secure IT UNIX Client and Server version 7.0 SP1 |
| Additional Information |
For details, see the National Vulnerability Database web site at http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3108. |
| Alert |
Vulnerability Summary CVE-2006-2937 |
| Date Posted |
July 2008 |
| Summary |
Denial of Service attack using malformed ASN.1 packets. |
| Product Status |
This issue is resolved in Reflection for Secure IT UNIX Client and Server version 7.0 SP1. |
| Additional Information |
For details, see the National Vulnerability Database web site at http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-2937. |
| Alert |
Vulnerability Summary CVE-2006-2940 |
| Date Posted |
July 2008 |
| Summary |
Denial of Service attack using parasitic public keys. |
| Product Status |
This issue is resolved in Reflection for Secure IT UNIX Client and Server version 7.0 SP1. |
| Additional Information |
For details, see the National Vulnerability Database web site at http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-2940. |
| Alert |
Vulnerability Summary CVE-2007-4752 |
| Date Posted |
September 2007 |
| Summary |
ssh in OpenSSH before 4.7 does not
properly handle when an untrusted cookie cannot be created and uses a
trusted X11 cookie instead, which allows attackers to violate intended
policy and gain privileges by causing an X client to be treated as
trusted. |
| Product Status |
Attachmate SSH clients (including Reflection for Secure IT and Reflection X) do not have this OpenSSH vulnerability.
Note: Reflection for Secure IT UNIX Clients versions 6.x and 7.0
support trusted X11 forwarding, but do not have the vulnerability. |
| Additional Information |
For details, see the National Vulnerability Database web site at http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4752. |
Notice: This technical note is updated from time to time and is provided for informational purposes only. Attachmate makes no representation or warranty that the functions contained in our software products will meet your requirements or that the operation of our software products will be interruption or error free. Attachmate EXPRESSLY DISCLAIMS ALL WARRANTIES REGARDING OUR SOFTWARE INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.