Release Notes for CryptoAuditor 2.2.3 ------------------------------------- 13 February 2017 (C) 2012-2017 SSH Communications Security Corporation This software is protected by international copyright laws. All Rights Reserved. ------------------------------------------------------------ Table of Contents 1. About This Release 1.1 Upgrading from Earlier Versions 1.2 What's New in This Release? 2. Bug Fixes and Minor Features 3. Known Issues 4. Further Information 1. About This Release ----------------------- During internal testing it was found that SSH CryptoAuditor versions between 1.5.0 and 2.2.2 allow remote unauthorized privileged access to CryptoAuditor management SSH server on IP port 4772. Therefore an IMMEDIATE FULL SYSTEM UPGRADE to the provided fixed version as soon as possible IS NECESSARY. We strongly recommend taking a snapshot before proceeding with upgrade. For more information about the vulnerability, contact SSH support at https://support.ssh.com/ CryptoAuditor is a solution for controlling and monitoring privileged access over Secure Shell (SSH), Remote Desktop (RDP), HTTP(S), and other TCP/TLS connections. CryptoAuditor consists of a central Vault component to which multiple Hound components connect. The Vault is responsible for audit policy configuration, credential storage, and audit data indexing and storage. Hounds are responsible for enforcing audit policies on the traffic that goes through them. The CryptoAuditor components are delivered either as a pre-installed hardware appliance, as an ISO image that can be used to install CryptoAuditor on VMware, or as an Amazon Machine Image (AMI) for launching in Amazon EC2. When deployed, the appliance can take the role of the Vault or a remote Hound. The Vault can also provide Hound functionality as it includes an internal Hound (Cafall). For instructions on setting up the CryptoAuditor appliance, refer to CryptoAuditor Administrator Manual. 1.1 Upgrading from Earlier Versions ------------------------------------ For instructions on upgrading your system from previous CryptoAuditor releases, refer to CryptoAuditor Administrator Manual or CryptoAuditor System Upgrade Guide. NOTE: Upgrading to this release requires full system upgrade as also appliance OS components have been updated. ********************************************************************** CAUTION: CryptoAuditor 2.x requires an AMD64 or Intel 64 compatible processor with Advanced Encryption Standard New Instructions (AES-NI) support. If your hypervisor host machine's processor does not support AES-NI, you cannot deploy CryptoAuditor 2.x on the host or upgrade existing CryptoAuditor 1.5 to 2.x. Before upgrading your existing CryptoAuditor 1.5 installation, please verify the AES-NI support from the processor specifications. ********************************************************************** ********************************************************************** CAUTION: Upgrading CryptoAuditor 2.0.x, or earlier, will migrate old gateway users, user groups, and user mappings into the new internal credential Vault, which provides extended options and API-based management for them. Existing user mappings will be automatically migrated during upgrade. However, due to extended functionality, some of the old mappings may no longer behave as before the upgrade. If you have user mapping rules created in version 2.0.x, or earlier, verify that the user mappings work as intended after the upgrade. For more information on the new user and credential functionality, see CryptoAuditor Administrator Manual. ********************************************************************** 1.2 What's New in This Release? -------------------------------- Release 2.2 adds the following new features: * RDP improvements - RDP/Network Level Authentication support - RDP 10.0 support - RDP multi-monitor support * Bridge/VLAN auditing improvements: CryptoAuditor Hounds deployed in the bridge mode can now audit traffic in several VLANs. * Management API extensions and revamped host group UI - Manage host groups via API and UI. - Manage time-restricted access tokens and user mappings via API and UI. 2. Bug Fixes and Minor Features --------------------------------- The changes and fixes listed below are over CryptoAuditor 2.1.3 release. CryptoAuditor 2.2.3 ------------------- During internal testing it was found that SSH CryptoAuditor versions between 1.5.0 and 2.2.2 allow remote unauthorized privileged access to CryptoAuditor management SSH server on IP port 4772. Therefore an IMMEDIATE FULL SYSTEM UPGRADE to the provided fixed version as soon as possible IS NECESSARY. We strongly recommend taking a snapshot before proceeding with upgrade. For more information about the vulnerability, contact SSH support at https://support.ssh.com/ The following minor features have been added in CryptoAuditor 2.2.3: - UI: Added admin password policy settings. Settings are enforced on password change. The following bugs have been fixed in CryptoAuditor 2.2.3: - [51650] UI: Fixed displaying user input as HTML in some pages. CryptoAuditor 2.2.2 ------------------- The following bugs have been fixed in CryptoAuditor 2.2.2: - [51676] RDP: Fixed a memory leak in RDP servant. CryptoAuditor 2.2.1 ------------------- The following bugs have been fixed in CryptoAuditor 2.2.1: - [39788] Amazon EC2: When rebooting CryptoAuditor instances, the instances are up within minutes. Earlier it took up to 15 minutes to reboot a CryptoAuditor instance. - [45183] Vault: On-going indexing process does not prevent anymore scheduled archive or backup jobs. - [50777] Vault: Fixed authentication key revision processing. With the authentication key mirroring feature and 1000s of stored mapped user credentials, modifications in credentials caused noticeable increase in system I/O load because all the credentials were mirrored from the Vault to the Hounds. - [50784] Vault: In authentication key mirroring from Vault to Hound, fixed a bug that made the feature to be effectively enabled even if disabled in CryptoAuditor configuration. - [50823] Archive: Fixed an issue that prevented adding new archive server configuration in CryptoAuditor 2.2.0 release. CryptoAuditor 2.2.0 ------------------- The following minor features have been added in CryptoAuditor 2.2.0: - UI: Alerts page has been revamped. It is now possible to select "All alerts" to send all CryptoAuditor system events to an external SIEM/syslog collector. - SSH: Recursive auditing of TCP and HTTP connections tunneled inside SSH is now supported. The following bugs have been fixed in CryptoAuditor 2.2.0: - [44165] RDP: Fixed auditing of clipboard when the user@host bastion mode syntax is used for connecting. - [47882] RDP: Clipboard is now enabled for also after disconnecting and reconnecting the RDP session. - [48020] Amazon EC2: System upgrade of Amazon EC2 instances to version 2.2.x is now supported. - [49469] UI: It was possible to create duplicate bastion listeners in Hound configuration, which led to error situations. This is now prevented. NOTE: When upgrading a previous version of CryptoAuditor that contains duplicate listeners, duplicates are now removed from configuration. If they were used as rule selection criteria, also the criteria are removed. Please verify your auditing rules after upgrade. 3. Known Issues ----------------- The following issues are currently known in CryptoAuditor 2.2.1: Deployment and setup -------------------- - [25718] UI/RBAC: "View/Manage CryptoAuditor system settings and logs" permissions give also the permission to view audited connection events under System Events. - [27581] Hound: If NTP is not initially enabled for a remote Hound, it cannot be enabled afterwards from the UI. Workaround is to re-configure the Hound using a new ICB. - [30357] Setup: If the management IP address is left empty in the initial setup, CryptoAuditor sets the factory default IP address to the management interface. The management interface will not be fully disabled. - [33347] VM: Deploying CryptoAuditor on VMware Workstation 10 or 11 does not currently work automatically because VMware does not assign correct network interface device types for the interfaces. Workaround is to edit the .vmx file and verify and add the following lines: ethernet0.virtualDev = "e1000" ethernet1.virtualDev = "e1000" ethernet2.virtualDev = "e1000" ethernet3.virtualDev = "e1000" - [40134] VM: Changing the network interface type (e.g. from E1000 to VMXNET3) after initial installation is not supported. Vault ----- - [19787] SSH: When indexing of transferred file contents is enabled, transfers of large number (10,000s) of small files in succession can cause the Vault Storage to stop auditing. - [21529] Backup: In case system backup has failed, the failed backup file may still show on the list of backups even though it cannot be restored. - [40823] Backup: After restoring a backup, the admin UI is not started automatically. You must restart it manually from the command line by running "apachectl restart". - [32056] Archive: If the Archive connection data has been removed from CryptoAuditor UI, connections from that archive cannot be purged anymore. Even when "Always purge metadata" is enabled, the purge process will end in error. - [34357] Vault: In rare occasions, it is possible for the index database to become corrupted. Purging or archiving a corrupted database will fail. If this happens, workaround is to remove the index before purging and then re- index the connections. - [34867] Vault: Indexing a lot of connections may cause performance degradation in the system. - [35348] Vault: UI erroneously reports indexing ready for SFTP, even though indexing of transferred files may still be ongoing. - [41360] Archive: When archive settings are removed from CryptoAuditor, the associated scheduled jobs are not removed. This will later show as "failed to purge" error. - [41746] Archive: Note that automated archiving does not remove audited connection data from local Vault storage unless also "Automate purging" option is selected. In manual archiving, archive and purge from Vault storage is always done in sync. - [50657] API: When generating a new SSH user public/private-key pair through the API to the Vault, and trying to automatically upload the user's public key to the target server using the API, every other key upload to target server fails producing API error "500 Internal Server Error". - [50825] Alerts: Some RDP client and server combinations may produce false "Disconnected" when opening the connection, although the connection would remain open. Hound ----- - [20506] UI/Hound: When defining custom routing tables for a Hound and accidentally giving an invalid route, the UI erroneously gives a "Configuration updated successfully" message even though the invalid route is actually ignored by the Hound. - [30639] Rules: If using bastion listeners with forced targets, put any potential REJECT rules last, as they match in absence of target host information, even if their criteria specify hosts or ports. - [34444] Hound/SSH: DSA keys of other key sizes than 1024-bits used as the Hound host key do not work against OpenSSH clients. - [34451] Rules: Matching based on bastion listener takes precedence over matching based on other criteria. However, this is not clearly indicated in the UI. SSH auditing ------------ - [19638] SSH/UI: File transfers using the legacy SCP1 protocol are not shown in UI as files. However, if text files are transferred with SCP1, their content can be seen in Full trail view and can be searched if indexing has been enabled. - [23149] SSH: Private key created by PuTTY cannot be used in User mapping as target user's private key. - [29194] Hound: If strict host-key checking is enabled, and a known host key has been added using the domain name, the connection will fail if the connection is made using an IP address (it typically is, except with forced bastion address). Workaround is to add the known host key using the IP address. - [41729] SSH: When the audited user is using PuTTY client and manual authorization is required, the authorization message is displayed only AFTER the session has been authorized. - [48351] SSH: When a user successfully passes gateway authentication as LDAP or local user, but a matching user mapping is not found, the user is allowed a login prompt on the target host. RDP auditing ------------ - [18923] RDP: When RDP auditing action has been set to Deny, RDP client tries to connect forever without success. - [22899] RDP: When RDP Drive Redirection is being audited and the audit level has been set to Full session, the connection details may show several desktop.ini files as transferred. These are automatically generated by Windows. - [22900] RDP: When a file is transferred over RDP Drive Redirection and the audit level has been set to Full session, the file may be shown several times under connection details. - [24648] RDP: Connections that go through Remote Desktop Gateway (RDGW) before being audited by CryptoAuditor may show increased latency during the connection. - [24804] RDP: When users are authenticated against CryptoAuditor local user database and the authentication fails, the RDP client does not report this but tries to connect forever. - [48458] RDP: When a user successfully passes gateway authentication as LDAP or local user, but a matching user mapping is not found, the user is allowed a logon prompt on the target host. - [49860] RDP: Contents of the clipboard channel are not audited when the audit level has been set to "Store output". Use the audit level "Store full session" when you want audit clipboard contents. - [50306] SSH/RDP: Recursive auditing of SSH-tunneled RDP connections that require the use of Network Level Authentication is not currently supported. Depending on your security requirements, the workaround is to disable NLA from the target server OR use the metadata audit level for the SSH Local Tunnels channel. Connections and Reports ----------------------- - [22735] UI/Search: Currently only simple asterisk (*) wildcard at the end of the search term is supported in keyword searches. Words that are connected by special characters may not be found if the beginning of the text pattern is not included in the search term. - [26511] UI/Search: Connection filters "VLAN id" and "Rule" do not match to connections that have no channels (typically connections where authentication failed or some other thing caused early termination). - [27564] UI/Search: When a keyword search matches millions of hits, the UI may be unable to display the search result. - [38362] HTTP/Search: For HTTP sessions, search may return the same connection multiple times in the search results. - [38945] UI/Search: Indexing does not work properly for command-line user input that contains auto-completion with tabulator. As a result, search in the admin UI for a such keyword will not return search hits. Session replay -------------- - [27390] UI/Replay: When viewing the Full trail view of an SSH connection after keyword search, all search hits are not necessarily highlighted. You can find the search hits using the normal browser text search. - [27561] RDP/Replay: Jumping to search hits in RDP connections may behave erratically depending on the browser version used. - [35852] Replay: When going to LIVE replay, the time counter may lag behind the real time even though the actual replay would be near real time. - [36195] RDP/Replay: When terminal applications, such as Tectia SSH Client, are run in RDP sessions to older Windows versions, the terminal content may show as garbled during the replay. Configuration UI ---------------- - [19350] UI: When viewing the Policy -> Known Hosts page, if the number of accepted target server host keys grows large (1000+), only first 1000 keys are shown. The list can be filtered to show keys that are not initially shown. - [19479] UI: After attempting to Save a configuration, if there are errors in it, only the fields with errors are highlighted. Other fields that have been changed are no longer highlighted. - [22564] UI: No message is logged to system events when archive or backup settings (including scheduling) are changed. - [27318] UI/Hound: If Hound hostkey is recreated but the configuration change is discarded, the UI will show the Hound hostkey as empty. In reality the newly generated hostkey is used. - [31037] UI/Rules: Rule simulation does not do name server lookups and may fail to give a correct result when domain names are used. - [38052] UI: Multiple simultaneous admin users may lock the UI database, which causes INTERNAL SERVER ERROR to appear during UI actions. Workaround: In this case, you can try to wait a moment, until the database lock is freed. If this does not help, restart the HTTP server from CLI running "service apache24 restart". - [38670] UI: Rejecting or terminating a connection that is pending manual authorization sometimes incorrectly shows an error message "Failed to disconnect connection...", even though the connection is actually rejected and closed properly. - [40117] Configuration: If you change the external authorization server's URL, for the new URL to become effective, you must commit policy configuration to the Hounds manually through running 'Apply' in the pending changes. - Saved passwords may effectively prevent forms that contain any password fields from working properly. We recommend that you prevent your web browser from automatically saving your passwords for CryptoAuditor admin UI. That is, either disable "Remember passwords of sites" feature completely, or add an exception for CryptoAuditor Vault's IP address and/or FQDN. 4. Further Information ------------------------ For information on contacting SSH Support, see http://www.ssh.com/services/technical-support For purchasing information, see http://www.ssh.com/partners