Reflection for Secure IT 8.0.2 Client and Server for UNIX New Features and Release Notes

  • 7022096
  • 30-Mar-2016
  • 10-Jul-2020

Environment

Reflection for Secure IT UNIX Client version 8.0 Service Pack 2
Reflection for Secure IT UNIX Server version 8.0 Service Pack 2

Situation

Reflection for Secure IT 8.0 Service Pack 2 (version 8.0.2.109) released March 2016 and is available for new and maintained customers. This release addresses multiple security vulnerabilities. This technical note lists the changes and included fixes.

Resolution

Version Identification

This release is identified as version 8.0.2.109, which is displayed when running any of the clients or server daemon with the version switch (-V or --version). For Red Hat Enterprise Linux 64-bit only, an updated version 8.0.2.110 released in May 2016.

What’s New in This Release?

This release includes features and fixes previously released in version 8.0.1.74 (as described in KB 7022095) and version 8.0 Service Pack 1 (as described in KB 7022094), plus the following updates.

New Features

  • Red Hat Enterprise Linux 7 x86-64 and Oracle Solaris 11 x86-64 are now supported platforms.
  • Security-Enhanced Linux (SELinux) is supported on Red Hat Enterprise Linux 6 and above.
  • Red Hat Enterprise Linux 7 High Availability Clustering is supported.

Resolved Issues

This release includes fixes for the following server issues:

  • Core dumps are no longer generated on Solaris and AIX platforms.
  • The AccountManagement=aix and IgnoreRLogin=yes server configuration keywords can now be used together.
  • In version 8.0.2.110, the server keywords AllowGroups, AllowHosts, AllowUsers, DenyGroups, DenyHosts and DenyUsers work on RHEL 7 x64 when SELinux Enforcing mode is configured.

This release includes a fix for the following client issue:

  • The SFTP client can perform an “lls” command when a filename is surrounded by single quotes (‘).

Additional Significant Changes

  • Reflection for Secure IT is now a 64-bit application on IBM AIX POWER, Oracle Solaris 10 SPARC, and Oracle Solaris 11 SPARC, and now requires the use of 64-bit system libraries.

For example, if the full path to the PAM libraries is specified in the pam.conf file, the path for the SSH PAM service will need to be updated to the 64-bit PAM library. See Configuring PAM libraries on AIX.

  • IBM AIX 5.3 POWER and Oracle Solaris 9 SPARC are no longer supported platforms.
  • Reflection for Secure IT now uses the OpenSSL FIPS Object Module v2.0.2 for FIPS 140-2 Level 1 validation (Certificate #1747).

Note: AIX POWER uses the OpenSSL FIPS Object Module v2.0.11 for FIPS 140-2 Level 1 validation (Certificate #2398).

  • HP-UX 11i v2 (11.23) PARISC and SUSE Linux Enterprise Server 10 zSeries, 64-bit are no longer FIPS 140-2 validated platforms. The client and server no longer support FIPS mode settings.
  • DSA keys larger than 1024 bits are no longer supported when making connections or generating public key pairs. Larger SSH DSA keys have an effective strength of 1024 bits.

Security Updates

  • OpenSSH xauth Command Injection Vulnerability is addressed. This vulnerability could allow an authorized user who is able to request X11 forwarding to inject commands to xauth(1).
  • Reflection for Secure IT contains the latest OpenSSL Cryptographic Module that includes OpenSSL release 1.0.2g.
  • OpenSSH Keyboard-Interactive Devices Vulnerability (CVE-2015-5600) is addressed. This vulnerability could allow attackers to conduct a brute force attack by bypassing the number of keyboard-interactive authentication attempts.
  • OpenSSH X11 Bypass Vulnerability (CVE-2015-5352) is addressed. This vulnerability could allow attackers to bypass intended access restrictions for X connections.
  • OpenSSL Null Pointer Dereference Vulnerability (CVE-2015-0289) is addressed. This vulnerability could allow attackers to cause a denial of service by providing malformed PKCS#7 data.
  • OpenSSL Buffer Overflow Vulnerability (CVE-2015-0292) is addressed. This vulnerability could allow remote attackers to cause a denial of service or possibly other impact by using crafted base64 data that triggers a buffer overflow.
  • Diffie-Hellman Logjam Vulnerability (CVE-2015-4000) is addressed. This vulnerability can allow an attacker to passively eavesdrop and decrypt SSH sessions that use weaker DH Groups for key exchange.
  • OpenSSH PAM Impersonation Vulnerability (CVE-2015-6563) is addressed. This vulnerability could allow local users to conduct impersonation attacks by leveraging any SSH login access to send a crafted PAM request.
  • OpenSSH PAM Use-after-free Vulnerability (CVE-2015-6564) is addressed. This vulnerability could allow local users to gain privileges by leveraging control of the SSH server to send an unexpected PAM request.

For more information on security updates, see https://support.microfocus.com/security/.

Known Issues

  • On RHEL 7 on x86-64 with SELinux Enforcing mode, server configuration keywords AllowHosts, AllowUsers, AllowGroups, DenyHosts, DenyUsers and DenyGroups did not work in version 8.0.2.109 that released March 2016. This issue is addressed in version 8.0.2.110 that released May 2016.
  • On RHEL 7 on x86-64, there is an issue when manually starting or stopping sshd under certain conditions. For more information, see KB 7022097.

Downloading the Product

Maintained customers are eligible to download the latest product releases at https://download.attachmate.com/Upgrades/. You will be prompted to login and accept the Software License Agreement before you can download a file. For more information about using the Downloads website, see KB 7021965.

Note: If you download an Oracle Solaris, HP-UX, or IBM AIX package using Internet Explorer, the uppercase (.Z) extension is changed to lowercase (.z). You will need to rename the file name to use an uppercase Z before you can uncompress your files.

For information about purchasing Reflection for Secure IT, contact a sales representative: https://www.attachmate.com/company/contact/.

Installing or Upgrading

For supported platform information, see KB 7022010.

To upgrade, you will need to:

  1. Back up the /etc/ssh2 directory (which includes configuration files and host keys).
  2. Uninstall your existing version.
  3. Install the new downloaded product.

For more information about installing and uninstalling, see the User Guide at https://support.microfocus.com/manuals/rsit_unix.html.

To replace an existing Secure Shell program (including using backed up files to merge your non-default settings to the new configuration file), see KB 7021941 or https://docs.attachmate.com/reflection/rsit-ssh/8.0sp1/unix/en/user-guide/rsit_unix_upgrade_rf.htm.

Configuring PAM libraries on AIX

If the full path to the PAM libraries is specified in the pam.conf file, the path for the SSH PAM service will need to be updated to the 64-bit PAM library. For example:

ssh auth required /usr/lib/security/64/pam_aix
ssh account required /usr/lib/security/64/pam_aix
ssh password required /usr/lib/security/64/pam_aix
ssh session required /usr/lib/security/64/pam_aix

Additional Information

Legacy KB ID

This article was originally published as Attachmate Technical Note 2854.