Release Notes for CryptoAuditor 2.4.1 ------------------------------------- 9 February 2018 (C) 2012-2018 SSH Communications Security Corporation This software is protected by international copyright laws. All Rights Reserved. ------------------------------------------------------------ NOTE: Upgrading to this release from any previous version requires a full system upgrade as also appliance OS components have been updated. Table of Contents 1. About This Release 1.1 Upgrading from Earlier Versions 1.2 What's New in This Release? 2. Bug Fixes and Minor Features 3. Known Issues 4. Further Information 1. About This Release ----------------------- CryptoAuditor is a solution for controlling and monitoring privileged access over Secure Shell (SSH), Remote Desktop (RDP), HTTP(S), and other TCP/TLS connections. CryptoAuditor consists of a central Vault component to which multiple Hound components connect. The Vault is responsible for audit policy configuration, credential storage, and audit data indexing and storage. Hounds are responsible for enforcing audit policies on the traffic that goes through them. The CryptoAuditor components are delivered either as a pre-installed hardware appliance, as an ISO image that can be used to install CryptoAuditor on VMware, or as an Amazon Machine Image (AMI) for launching in Amazon EC2. When deployed, the appliance can take the role of the Vault or a remote Hound. The Vault can also provide Hound functionality as it includes an internal Hound (Cafall). For instructions on setting up the CryptoAuditor appliance, refer to CryptoAuditor Administrator Manual. 1.1 Upgrading from Earlier Versions ------------------------------------ NOTE: Upgrading to this release from any previous version requires a full system upgrade as also appliance OS components have been updated. For instructions on upgrading your system from previous CryptoAuditor releases, refer to CryptoAuditor Administrator Manual or CryptoAuditor System Upgrade Guide. ********************************************************************** CAUTION: CryptoAuditor 2.x requires an AMD64 or Intel 64 compatible processor with Advanced Encryption Standard New Instructions (AES-NI) support. If your hypervisor host machine's processor does not support AES-NI, you cannot deploy CryptoAuditor 2.x on the host or upgrade existing CryptoAuditor 1.5 to 2.x. Before upgrading your existing CryptoAuditor 1.5 installation, please verify the AES-NI support from the processor specifications. ********************************************************************** ********************************************************************** CAUTION: Upgrading CryptoAuditor 2.0.x, or earlier, will migrate old gateway users, user groups, and user mappings into the new internal credential Vault, which provides extended options and API-based management for them. Existing user mappings will be automatically migrated during upgrade. However, due to extended functionality, some of the old mappings may no longer behave as before the upgrade. If you have user mapping rules created in version 2.0.x, or earlier, verify that the user mappings work as intended after the upgrade. For more information on the new user and credential functionality, see CryptoAuditor Administrator Manual. ********************************************************************** 1.2 What's New in This Release? -------------------------------- Release 2.4.1 addresses some issues found in previous releases, described in detail under section 2. Bug Fixes and Minor Features. 2. Bug Fixes and Minor Features --------------------------------- CryptoAuditor 2.4.1 ------------------- - [54609] Fixed an issue that prevented audited traffic from reaching destination server if it was not on the same L2 network segment as the Hound. Audited traffic was incorrectly set to have IP TTL of 1. - [55273] Improved VLAN NAT: L2 source-address resolution with ARP is now also possible over gateways that do not support proxy ARP. - [56574] Fixed an issue with upgraded remote hounds unnecessarily attempting to run session-cleanup cron jobs. - [57129] Denying "clipboard out" no longer denies file-uploads and pasting text CryptoAuditor 2.4.0 ------------------- The following minor features have been added in CryptoAuditor 2.4.0: - Ability to set an LDAP user group as UI superusers - Option to auto-disconnect long sessions The following bugs have been fixed in CryptoAuditor 2.4.0: - [47299] audit-storage-ctl search prints now the correct result count. - [53518] Time zone setting is now also be available for LDAP admin account. - [53391] NTP_CVE-2016-7434 vulnerability is fixed. - [54533] SSH auditing: unexpected "Connection_rejected" event in log entries is now removed. 3. Known Issues ----------------- The following issues are currently known in CryptoAuditor 2.4.0: Deployment and setup -------------------- - [30357] Setup: If the management IP address is left empty in the initial setup, CryptoAuditor sets the factory default IP address to the management interface. The management interface will not be fully disabled. - [40134] VM: Changing the network interface type (e.g. from E1000 to VMXNET3) after initial installation is not supported. Vault ----- - [21529] Backup: In case system backup has failed, the failed backup file may still show on the list of backups even though it cannot be restored. - [32056] Archive: If the Archive connection data has been removed from CryptoAuditor UI, connections from that archive cannot be purged anymore. Even when "Always purge metadata" is enabled, the purge process will end in error. - [34357] Vault: In rare occasions, it is possible for the index database to become corrupted. Purging or archiving a corrupted database will fail. If this happens, workaround is to remove the index before purging and then re-index the connections. - [34867] Vault: Indexing a large number of connections may cause performance degradation in the system. - [35348] Vault: UI erroneously reports indexing ready for SFTP, even though indexing of transferred files may still be ongoing. - [40823] Backup: After restoring a backup, the admin UI is not started automatically. You must restart it manually from the command line by running "apachectl restart". - [41360] Archive: When archive settings are removed from CryptoAuditor, the associated scheduled jobs are not removed. This will later show as "failed to purge" error. - [41746] Archive: Note that automated archiving does not remove audited connection data from local Vault storage unless also "Automate purging" option is selected. In manual archiving, archive and purge from Vault storage is always done in sync. - [42965] ICAP: Real-time inspection of the SSH exec channel cannot be used for real-time blocking of commands. - [50825] Alerts: Some RDP client and server combinations may produce false "Disconnected" when opening the connection, although the connection would remain open. - [52335] Vault: Elliptic curve algorithms does not work on FIPS mode. Hound ----- - [30639] Rules: If using bastion listeners with forced targets, put potential REJECT rules as last, as they match in absence of target host information, even if their criteria specify hosts or ports. - [34451] Rules: Matching based on bastion listener takes precedence over matching based on other criteria. However, this is not clearly indicated in the UI. - [51188] Hound: When using remote Hounds, failure model is "Allow" and key mirroring is used, user mappings that use credentials for local users do not work. - [52535] Hound: Changing RADIUS shared secret may end up out-of-sync with Vault. Affects cases where Vault is down and connections goes through Hound unaudited. - [56574] Hound: After a fresh install, remote hounds still run session cleanup cron jobs. This causes extra alerts to appear on Vault's log in 5 minute intervals. Workaround is to issue command 'crontab -r -u auditor' on each remote hound. SSH auditing ------------ - [19787] SSH: When indexing of transferred file contents is enabled, transfers of large number (10,000s) of small files in succession can cause the Vault Storage to stop auditing. - [23149] SSH: Private key created by PuTTY cannot be used in User mapping as target user's private key. - [41729] SSH: When the audited user is using PuTTY client and manual authorization is required, the authorization message is displayed only AFTER the session has been authorized. RDP auditing ------------ - [22899] RDP: When RDP Drive Redirection is being audited and the audit level has been set to Full session, the connection details may show several desktop.ini files as transferred. These are automatically generated by Windows. - [22900] RDP: When a file is transferred over RDP Drive Redirection or clipboard and the audit level has been set to Full session, the file may be shown several times under connection details and session log. - [24648] RDP: Connections that go through Remote Desktop Gateway (RDGW) before being audited by CryptoAuditor may show increased latency during the connection. - [36195] RDP/Replay: When terminal applications, such as Tectia SSH Client, are run in RDP sessions to older Windows versions, the terminal content may show as garbled during the replay. - [47954] RDP: The RDP "sound" channel can be passed through CryptoAuditor and stored, but it cannot be played back. - [48458] RDP: When a user successfully passes gateway authentication as LDAP or local user, but a matching user mapping is not found, the user is allowed a logon prompt on the target host. - [50306] SSH/RDP: Recursive auditing of SSH-tunneled RDP connections that require the use of Network Level Authentication is not currently supported. Depending on your security requirements, the workaround is to disable NLA from the target server OR use the metadata audit level for the SSH Local Tunnels channel. - [51507] RDP: Clipboard does not work when connection is disconnected without logout. - [52855] RDP: If clipboard download is denied, file copy fill erase the original file on replace action. - [53136] Hound: Remote Hound pass-through works only if Hound is restarted after lost Vault connection. - [53227] RDP: Device mapping not working for Windows Server 2008R2. - [53918] RDP: TLS is required to enable clipboard and device channels. - [57599] RDP: Bastion connection syntax: All channel deny rule as first rule causes flat-out "rejected by policy" disconnect. Partial channel deny rule like clipboard denied as first rule causes clipboard allowed in matching rule to be ignored. Connections and Reports ----------------------- - [22735] Search: Currently only simple asterisk (*) wildcard at the end of the search term is supported in keyword searches. Words that are connected by special characters may not be found if the beginning of the text pattern is not included in the search term. - [38362] HTTP/Search: For HTTP sessions, search may return the same connection multiple times in the search results. - [38945] UI/Search: Indexing does not work properly for command-line user input that contains auto-completion with tabulator. As a result, search in the admin UI for a such keyword will not return search hits. Session replay -------------- - [27390] UI/Replay: When viewing the Full trail view of an SSH connection after keyword search, all search hits are not necessarily highlighted. You can find the search hits using the normal browser text search. - [35852] Replay: When going to LIVE replay, the time counter may lag behind the real time even though the actual replay would be near real time. Configuration UI ---------------- - [19350] UI: When viewing the Policy -> Stored Hostkeys page, if the number of accepted target server host keys grows large (1000+), only first 1000 keys are shown. The list can be filtered to show keys that are not initially shown. - [19638] SSH/UI: File transfers using the OpenSCP protocol are not shown in UI as files. However, if text files are transferred with SCP1, their content can be seen in Full trail view and can be searched if indexing has been enabled. - [20506] UI/Hound: When defining custom routing tables for a Hound and accidentally giving an invalid route, the UI erroneously gives a "Configuration updated successfully" message even though the invalid route is actually ignored by the Hound. - [25718] UI/RBAC: "View/Manage CryptoAuditor system settings and logs" permissions give also the permission to view audited connection events under System Events. - [31037] UI/Rules: Rule simulation does not do name server lookups and may fail to give a correct result when domain names are used. - [38052] UI: Multiple simultaneous admin users may lock the UI database, which causes INTERNAL SERVER ERROR to appear during UI actions. Workaround: In this case, you can try to wait a moment, until the database lock is freed. If this does not help, restart the HTTP server from CLI running "service apache24 restart". - [38670] UI: Rejecting or terminating a connection that is pending manual authorization sometimes incorrectly shows an error message "Failed to disconnect connection...", even though the connection is actually rejected and closed properly. - Saved passwords may effectively prevent forms that contain any password fields from working properly. We recommend that you prevent your web browser from automatically saving your passwords for CryptoAuditor admin UI. That is, either disable "Remember passwords of sites" feature completely, or add an exception for CryptoAuditor Vault's IP address and/or FQDN. 4. Further Information ------------------------ For information on contacting SSH Support, see http://www.ssh.com/services/technical-support For purchasing information, see http://www.ssh.com/partners