Q&A: Security Update for Management and Security Server (CVE-2016-5765)

1. In summary, what should you do?

• If you use one of the affected products, you should install the upgrade as quickly as possible.
• There are additional steps you should take after applying the upgrade, as described below.

2. What does the upgrade do?

• The upgrade fixes the information disclosure vulnerability.
• The upgrade also changes the algorithm used to protect the MSS administrator password, the Terminal ID Manager administrator password, and the Metering administrator and reports passwords. Before the upgrade, they were protected using SHA-1. They are now protected using PBKDF2 with SHA256.
• The upgrade also makes other security improvements to address issues that have not been reported outside of Micro Focus.

3. What steps should you take after installing the upgrade?

You should change the following administrator passwords to get the benefit of the new stronger algorithm (PBKDF2 with SHA256) for protecting those passwords.

• Administrative server: After installing the upgrade, change the administrator password so it will be protected with the new stronger algorithm.
• Metering server: After installing the upgrade, change the administrator and reports passwords, so they will be protected with the new stronger algorithm.
• Terminal ID Manager server: After installing the upgrade, change the administrator password, so it will be protected with the new stronger algorithm.

4. Are there additional steps that you should take after installing the upgrade?

You may want to take additional steps to mitigate against the possibility that configuration information stored on the administrative server may have been compromised through the information disclosure vulnerability.

5. How important are these additional steps?

The priority and importance of these steps may vary according to your environment, maintenance practices and risk tolerance.

For example, if your deployment is restricted to internal networks, then that may affect how you view the risk that information may have been compromised. If you regularly rotate passwords or certificates, that may affect whether you decide to change them out of cycle or on the regular rotation. These are all judgment calls.

6. What additional steps should be considered if you are using the LDAP access control features?

• You may want to change the password used by the administrative server to access the directory.
• Best practice: Confirm that the LDAP account being used by the administrative server to access the directory has read-only rights to the directory. It is a best practice not to use an LDAP account that has more rights than are necessary.
• If you are using the password change notification feature with the option that enables users to change their Active Directory passwords, then you may want to change the password on the account that is used to reset user passwords.

7. What additional steps should be considered if you are using the Security Proxy Server?

• You may want to change the Management and Security Server certificate and private key, which is used to sign the proxy token. The previous certificate should be revoked, or if is a self-signed certificate, it should be removed from the trusted certificate store on the proxy server.
• If you change the Management and Security Server certificate, then it will need to be imported into the trusted certificate store on the proxy server.
• If the proxy server is on the same machine as the administrative server, then it may have been subject to a compromise of that machine. In this case, you may want to change the proxy server’s certificate and private key. If the previous certificate is signed by a CA, then you may want to revoke it. If the previous certificate is a self-signed certificate and you are using it with Reflection for the Web clients, then you may want to remove it from the Terminal Emulator Applet Trusted Certificate list on the administrative server and update that Trusted Certificate list with the new certificate. If it is a self-signed certificate and you are using it with Reflection or Rumba Windows-based clients, then you may want to remove it from the trusted certificate stores on those clients.

8. What additional steps should be considered if you are using the Automated Sign-On for Mainframe Add-On product?

• You may want to change the client certificate and private key used by the administrative server to access DCAS on the mainframe, and revoke the previously used certificate.
• If a secondary directory is used with the Automated Sign-On for Mainframe Add-On product, you may want to change the password used by the administrative server to access that secondary directory.
• Best practice: confirm that the LDAP account being used by the administrative server has read only rights to the secondary directory. It is a best practice not to use an LDAP account that has more rights than are necessary.

9. What additional steps should be considered if you are using the administrative server’s replication feature?

• You may want to change the shared passphrase that is configured as part of the data replication feature.

10. What additional steps should be considered if you are using the Single sign-on through Windows authentication (NTLM) authentication?

• You may want to change the passwords for the accounts that are set as part of the NTLM configuration.

11. What additional steps should be considered if you are using the shared client certificate or shared SSH key feature with the Reflection for the Web client?

• If you consider the shared certificate or key to be security sensitive, then you may want to change them.

12. What additional steps should be considered if you are using Reflection for the Web clients with the credential store feature?

• You may want to regenerate the encryption key used on the server to encrypt credentials.
• Any items stored in the credential store by a Windows client will also have been encrypted using Windows APIs on that Windows client before being saved to the credential store. The client-based encryption should not be affected by any security vulnerability on the server.

13. What other additional steps should be considered?

• In the Administrative WebStation, Security Settings, Security tab, if you have set a password for the keystores, then you may want to change that password.
• In the Administrative WebStation, Security Settings, Security tab, if you have set a password for the keychain, then you may want to change that password.

If you have additional questions, please contact Customer Care, https://support.microfocus.com/contact/.

The vulnerability allows remote unauthenticated attackers to use a specially crafted URL to read the contents of files from the machine running the Administrative Server component. The attacker’s ability to read files is limited by the Administrative Server’s enforcement of a restriction on the length of a URL parameter.

The affected products are listed in the Environment section.

Updated versions are available which address the vulnerability. Information about the vulnerability, the affected products and versions, and how to obtain the security updates which address the vulnerability are contained in https://support.microfocus.com/security/.

This vulnerability has been published as CVE-2016-5765, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5765.

Legacy KB ID

This document was originally published as Attachmate Technical Note 2888.