Reflection for Secure IT UNIX 8.0 SP2 Update 1 Release Notes

August, 2017

Reflection for Secure IT 8.0 Service Pack 2 Update 1 (version released in August 2017 and is available for new and maintained customers. This update addresses several security vulnerabilities, and includes several enhancements and software fixes.

1.0 What’s New?

This update includes all features and fixes previously released since version 8.0 SP2 plus the following security improvements and software fixes.

1.1 Security Improvements

This update includes the following security improvements:

Eliminated untrusted to trusted fallback when using X11 forwarding across secure SSH connections (CVE-2016-1908)

This vulnerability could allow a compromised remote X application to establish a trusted connection to the local X server, even when only untrusted X11 forwarding was requested.

When initializing an SSH connection, the client may request untrusted X11 forwarding, (depending on your settings). Previous to this fix, if the setup of untrusted forwarding failed, the SSH Client requested trusted forwarding. Now if the setup of untrusted forwarding fails, X11 forwarding is not requested.

If you want to request trusted forwarding, you will need to explicitly change your settings or command line options (see ssh Command Line Options and Client Configuration Keywords in the Reflection for Secure IT for UNIX User Guide).

For more information, see Technical Note 2288.

Removed weak MAC algorithms from default lists

Removed sha1-96, md5, md5-96 from the list of MAC algorithms that Macs=’AnyStdMac’ (the default) evaluates to. The default MAC algorithm list is now ‘hmac-sha256,hmac-sha1,hmac-sha512’.

Removed ‘none’ from the list of algorithms that Macs=’AnyStd’ evaluates to. Macs=’AnyStd’ is now equivalent to ‘hmac-sha256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-sha512’.

Macs=’any’, Macs=’AnyMAC’, and custom lists are unchanged.

For this update, the following text in the Reflection for Secure IT documentation no longer applies.

  • Use 'AnyStdMac' to specify 'hmac-sha256, hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-sha512'.

  • Additional options are 'none', 'any' (equivalent to AnyMac plus 'none'), and 'AnyStd' (equivalent to 'AnyStdMac' plus 'none').

The following statements are accurate for this update:

  • Use 'AnyStdMac' to specify 'hmac-sha256,hmac-sha1,hmac-sha512'.

  • Additional options are 'none', 'any' (equivalent to AnyMac plus 'none'), and 'AnyStd' (equivalent to 'AnyMac' minus 'hmac-ripemd160').

Changed defaults to disable Cipher Block Chaining (CBC) mode ciphers (CVE-2008-5161)

This vulnerability made it easier for remote attackers to recover plain text data from an arbitrary block of ciphertext in an SSH session, when a block cipher algorithm in CBC mode was used.

Removed all the *-cbc ciphers (aes128-cbc, aes192-cbc ,aes256-cbc, blowfish-cbc, 3des-cbc, cast128-cbc) from the list of ciphers that corresponds to the default ‘AnyStdCipher’ setting. The default cipher proposal is now: 'aes128-ctr,aes192-ctr,aes256-ctr,arcfour,arcfour128,arcfour256'.

The behavior of other cipher options such as ‘AnyStd’ and explicit lists are unchanged.

For this update, the following text in the Reflection for Secure IT documentation no longer applies:

The following values are provided for convenience: 'aes' (all supported aes ciphers), 'blowfish' (equivalent to 'blowfish-cbc'), 'cast' (equivalent to 'cast128-cbc'), '3des' (equivalent to '3des-cbc'), 'Any' or 'AnyStd' (all available ciphers plus 'none'), and 'AnyCipher' or 'AnyStdCipher' (all available ciphers).

The following statement is accurate for this update:

The following values are provided for convenience: 'aes' (all supported aes ciphers), 'blowfish' (equivalent to 'blowfish-cbc'), 'cast' (equivalent to 'cast128-cbc'), '3des' (equivalent to '3des-cbc'), 'Any' or 'AnyStd' (all available ciphers plus 'none'), 'AnyCipher' (all available ciphers), and 'AnyStdCipher' (aes ctr mode ciphers and arcfour).

Addressed vulnerability associated with an untrusted search path issue (CVE-2016-10009)

This vulnerability allowed remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket.

Addressed a privilege escalation vulnerability when privilege separation is not used (CVE-2016-10010)

This vulnerability could allow an authenticated user to gain root privileges when privilege separation was disabled. Forwarded UNIX--domain sockets are no longer created when privilege separation is disabled.

Addressed vulnerability that resulted from the auth_password function not limiting password lengths (CVE-2016-6515)

Prior to this update, the Reflection SSH Sever did not limit password lengths for password authentication, which allowed remote attackers to use long strings to cause a denial of service.

Addressed privilege escalation vulnerability when UseLogin is enabled and PAM is configured to read user environment settings (CVE-2015-8325)

This vulnerability allowed local users to gain privileges by triggering a crafted environment for the /bin/login program, when the UseLogin feature was enabled and PAM was configured to read .pam_environment files in user home directories.

Updated to Open SSL 1.0.2k release

The Open SSL1.0.2k release addresses numerous vulnerabilities that are described in the OpenSSL Security Advisory [26 Jan 2017].

1.2 Software Fixes and Enhancements

This update includes the following software improvements and fixes:

Added Support for IBM AIX 7.2 on PowerPC

Added a new client keyword to specify signature algorithms for public key user authentication

This allows the client to present the signature algorithm to use with the first public key authentication test to the server.

The new client keyword is named “PkRsaSigTypes". It’s default value is set to",ssh-rss". The value may be updated in the client config file “ssh2_config" or specified using the “-o" option.

The IgnoreRLogin keyword did not work if the AccountManagement keyword was set to use aix unless both were set in the global configuration file

If the AccountManagement=aix keyword was set, the IgnoreRLogin=yes keyword did not work if it was set in a user or host subconfiguration file.

Setting IgnoreRLogin in the global configuration file may not be ideal because this file applies to all connections to the server. The subconfiguration files are specific to particular users and hosts.

The IgnoreRLogin=yes keyword now works as expected when set in a user or host subconfiguration file.

RSA SecurID did not work on AIX 6.1 on PowerPC

Reflection for Secure IT Server for UNIX now works with the RSA SecurID 32-bit PAM module. In order to use RSA SecurID authentication, you must install the 32-bit server package for AIX (rsit-server-

Account management was failing on RHEL7

Logging on to a server as a user who was not allowed caused the server to crash. This occurred when connecting from a host, user, or group that was not allowed.

The server no longer crashes when a user who is not allowed attempts to log on.

2.0 Installation

For instructions that show how to install this update, see Installation in the Reflection for Secure IT Documentation guide.

3.0 Legal Notice

For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see

Copyright © 2017 Attachmate Corporation, a Micro Focus company. All rights reserved.

The only warranties for this product and any associated updates or services are those that may be described in express warranty statements accompanying the product or in an applicable license agreement you have entered into. Nothing in this document should be construed as creating any warranty for a product, updates, or services. The information contained in this document is subject to change without notice and is provided “AS IS” without any express or implied warranties or conditions. Micro Focus shall not be liable for any technical or other errors or omissions in this document. Please see the product’s applicable end user license agreement for details regarding the license terms and conditions, warranties, and limitations of liability.Any links to third-party websites take you outside Micro Focus websites, and Micro Focus has no control over and is not responsible for information on third party sites.