Posts Tagged ‘Security’

MassTransit Security Bulletin

Monday, May 16th, 2011

Recently we discovered and fixed two security problems in MassTransit that may affect your server. If you have MassTransit HP, Premier, Standard or Enterprise, version 5.1 and later, keep reading. These issues do not apply to MassTransit Professional, Satellite or Application Client.

Please read the following notes to see if your configuration is affected. If it is, to resolve those issues please upgrade your server to the latest version of MassTransit or adjust the configuration as described below to eliminate the problem.

1. Passkey issue
Affected MassTransit servers: HP, Premier, Standard, Enterprise.
Affected Versions: 6.0 or newer.

Affected configuration: If you use Web Clients with email notification actions containing web links including passkeys, it is possible that MassTransit can generate duplicate passkey tokens. If this situation happens, access to files by recipients could be compromised. This applies to Mac and Windows servers.

Resolution: Upgrade to the latest MassTransit version 7.x on Windows or change your email notification actions so they do not use passkeys.

Note: The last available version of MassTransit server for Macintosh is 6.0.2. We will be glad to provide a free upgrade to the latest MassTransit 7.x for Windows, which fixes the issue and introduces many additional enhancements.

2. Active Directory issue
Affected MassTransit servers: HP, Premier, Standard, Enterprise.
Affected Versions: 5.1 or newer.

Affected Configuration: If your Windows based MassTransit server is using the MassTransit web interface with Active Directory integration, there is a configuration approach that may allow improper password handling for Web Client users. This can only happen when MassTransit is bound to Active Directory and the MassTransit Engine service uses the “NEGOTIATE AD” method to run as an Active Directory user. This defect does not apply to your server if you are not using Active Directory with MassTransit, or if the common method of using a bind user name and password are configured in MassTransitEngine.cfg.

This defect does not affect Macintosh servers.

Resolution: Upgrade to the latest MassTransit version 7.x on Windows or change your configuration so it does not use the above configuration to bind with Active Directory.

Even if you haven’t been affected by any of these issues, if you are running MassTransit HP, Premier, Standard, Enterprise, version 5.1 or newer, we still recommend you upgrade your MassTransit server to the latest version to prevent the issues from happening to gain access to the newest features and enhancements.

How to obtain the upgrades:

MassTransit 7.x can updated to the latest version of 7.x using these instructions:
http://docs.grouplogic.com/display/MassTransit/Upgrading+MassTransit+7+to+version+7.x

For MassTransit versions earlier than 7.0, follow these instructions to upgrade to 7.x (on Windows 2003 or 2008):
http://docs.grouplogic.com/display/MassTransit/Upgrading+MassTransit+5+or+6+to+version+7.x

Other notes:

If your MassTransit server is version 5.1 through 6.x you will need a new license key file in order to apply this upgrade. To obtain it, please submit your current dongle info / mtdongle.cfg file ( instructions for finding this information can be found at http://support.grouplogic.com/?p=1604 ) to fulfillment@grouplogic.com.

Feel free to contact our support team at http://support.grouplogic.com/request with any questions.

Why does a security scan indicate that ExtremeZ-IP guest access is enabled?

Friday, February 4th, 2011

ExtremeZ-IP allows guest access to be enabled or disabled. As of ExtremZ-IP 6.0.4, it is disabled by default.

When guest access is disabled, some security scanning software, such as QualsysGuard, may still report that guest access is enabled.

This an artifact of the way that ExtremeZ-IP must respond to AFP connection requests from the Mac, not an actual security risk.

Detailed techincal information is provided below:

ExtremeZ-IP will always broadcast that guest access is available. However, it will not actually allow guest access unless the following two conditions are met:
1) “Allow Guests to Connect” is enabled (ExtremeZ-IP Administrator > Settings > File Server > Login Methods)
2) Guest Access is enable on the server itself. See http://support.grouplogic.com/?p=1540

The first packet that a Mac sends in an AFP connection is a request for the server’s capabilities (FPGetSrvrInfo). One of the many items that can be specified is what User Authentication Methods (UAMs) are supported on the server. Because of an issue with the Mac implementation of AutoFS, a Mac will not attempt to login with a real user account if the Guest UAM is not in the FPGetSrvrInfo reply. To work around that Mac issue, ExtremeZ-IP will always put the Guest UAM in the list.

This doesn’t really matter though because if a user tries to login with that UAM, ExtremeZ-IP will send an access denied reply. In fact, regardless of what is in the FPGetSrvrInfo UAM list, AFP clients can theoretically attempt to log into an AFP server with any UAM they want. For example, even if the Mac grays out the Guest checkbox in the UI, it does not stop a Mac from attempting to connect with it from the command line. From a security perspective, what matters is that guests are prevented from logging in, which is what ExtremeZ-IP will properly do.

ExtremeZ-IP Security Overview: ACLs and Unix Permissions

Friday, December 31st, 2010

Redirected to https://kb.acronis.com/content/39390