Security Bulletin S25-01

Description

Certain vulnerabilities were identified in the End of Life (EOL) OVA based Connect component which is deployed for the installation purpose in the customer internal network. This EOL component was deprecated in September 2023 with end of support extended till January 2024.

Note: These vulnerabilities are present only in the EOL OVA connect based deployment.

CVEs have been published for the identified OVA related vulnerabilities, along with recommended remediation actions.

In addition to the above, the following misconfigurations were also identified which could introduce additional risk to the system that hosts the EOL SC2.0 client.

1. During the installation of the SC2.0 client, the SELinux component was configured to run in disabled state.
2. A few binary files belonging to the SC2.0 client were given excessive read and write permissions.
3. Secondary TLS authentication control in the SC2.0 handshake process had a weakness in its encryption mechanism on account of usage of common key.

Note: The above configurations have been called out in the documentation portal, but we want to explicitly mention in this bulletin given there are security risks associated with these configurations in the EOL OVA based Connect component.

Action Required

Customers are advised to review the mitigation steps and follow the steps in this documentation link to mitigate these vulnerabilities and misconfigurations.

Credits

Achmea Security Assessment Team (SAT)

Contact Information

Any questions may be directed to security@saviynt.com