返回
-
标题
Central List of Documented CVE’s for One Identity Safeguard for Privileged Sessions -
说明
This knowledge article is based on customer queries and it is not the full list of One Identity Safeguard for Privileged Sessions (SPS) vulnerabilities and exposures. -
原因
A penetration test has found possible vulnerabilities in the SPS appliance. -
解决办法
Vulnerabilities and exposures
Number Description Affected versions Resolution CVE-2016-10708 sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service LTS SPS 5.0.x
FRUpgrade to SPS 6 LTS (OpenSSH version 7.6p1) CVE-2017-15906 The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in read-only mode LTS SSB 5.0.x
FRUpgrade to SPS 6 LTS (OpenSSH version 7.6p1) Known as “SACK Panic,” is an integer overflow vulnerability that can be triggered by a remote attacker sending a sequence of TCP Selective ACKnowledgements (SACKs) to a vulnerable system ALL https://support.oneidentity.com/kb/298990 CVE-2019-11478 It is an excess resource consumption vulnerability that can be triggered by a remote attacker sending a sequence of SACKs to a vulnerable system, resulting in the fragmentation of the TCP retransmission queue ALL https://support.oneidentity.com/kb/298990 CVE-2015-4000 The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks. LTS SSB 5.0.x
FRUpgrade to SPS 6 LTS
Configure TLS security settingsCVE-2019-0708 A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. Configuration dependant,
default "All" RDP channel policyDo not allow *Custom* channel type in channel policy.Use Network Level Authentication when possible.Security updates may be installed on RDP target systems.CVE-2013-4786 The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks. Only hardware appliances MBX T1, T4 and T10 The IPMI interface has known vulnerabilities that One Identity cannot fix or have an effect on. To avoid security hazards, One Identity recommends the followings.
- Connect the IPMI interface to well-protected, separated management networks with restricted accessibility.
- Use strong passwords, at least 16 characters long with a mixture of upper and lowercase letters, numbers, and special characters.CVE-2013-4037 The RAKP protocol support in the IPMI implementation sends a password hash to the client, which makes it easier for remote attackers to obtain access via a brute-force attack. Only hardware appliances MBX T1, T4 and T10 The IPMI interface has known vulnerabilities that One Identity cannot fix or have an effect on. To avoid security hazards, One Identity recommends the followings.
- Connect the IPMI interface to well-protected, separated management networks with restricted accessibility.
- Use strong passwords, at least 16 characters long with a mixture of upper and lowercase letters, numbers, and special characters.Other high-risk vulnerabilities
Outdated version of OpenSSH / OpenSSL
- Every SPS release includes security fixes, the full list can be be found in the release notes.
Make sure that you are on the latest version of your branch (LTS or Feature). - SPS Feature release has a more recent version of the affected applications, upgrade to LTS branch if you can.
Note: Feature branch currently does not support SQL source and SNMP destination. More information here: LTS vs. Feature branch
Weak ciphers- The SPS web interface can be accessed only using TLS-encryption and strong cipher algorithms.
Supported web browsers and operating systems - TLS security settings are configurable for audited protocols (SPS 5.11.0 and above)
TLS security settings
Certificate Authenticity & Trust Chain Validation IssueCA certificates used by SPS is missing from the scanner tool.
Download the following CA certificates and import into the scanner tool.- SPS CA certificate
Basic setting | Management | SSL certificates | CA X.509 certificate
- Local singing CA (if used)
Policies | Signing CAs | CA X.509 certificate
List of CVEs not affecting SPS
Number Description Reason for not being affected CVE-2015-3200 mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary log entries via a basic HTTP authentication mod_auth module is unused in lighttpd on SPS CVE-2018-19052 An issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd before 1.4.50. mod_alias module is unused in lighttpd on SPS CVE-2018-10933 A vulnerability was found in libssh's server-side state machine before versions 0.7.6 and 0.8.4. libssh is unused in SPS CVE-2019-5599 A bug in the non-default RACK TCP stack can allow an attacker to cause several linked lists to grow unbounded and cause an expensive list traversal on every packet being processed, leading to resource exhaustion and a denial of service Only FreeBSD is affected CVE-2019-1552 OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. Windows builds with insecure path defaults. Only Windows is affected A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. RDP implementation error in RDS which is loosely related to the protocol itself.
RDP connections are not affected.
Security updates may be installed on RDP target systems. - Every SPS release includes security fixes, the full list can be be found in the release notes.
-
其他信息
Abbreviations
CA - Certificate Authority
RDP - Remote Desktop Protocol
RDS - Remote Desktop Services
SPS - One Identity Safeguard for Privileged Sessions