Vidyo Server Security Update 20 (SU20) provides existing WebRTC 3.2 servers with updated packages and package configurations to address most known and current vulnerabilities (CVEs) at the time of the release of this Update, as noted in common OS and package security bulletins.
The updates and configuration changes applied by SU20 are outlined in this article below.
If you have an on-premises WebRTC 3.2. Server, all the information in this article applies to you. In particular, you must follow the steps in the "Applying Security Update 20" section in order to physically perform the update.
If you are a cloud customer, Vidyo will install SU20 for you; however, you may want to read this article to understand the system changes that take place when SU20 is applied.
Important Notices
- This update is applicable to all maintained Vidyo servers. For more information, please refer to the Vidyo Software Maintenance Policy.
Security Update 20 Files
This SU20 file... | Is for... |
---|---|
vidyo-webrtc-3.2.2.0010-FF58P-bundle- v1175.vidyo | VidyoWebRTC Server version 3.2.2 |
Do not install SU20 on a version earlier than the versions listed in the preceding table. If SU20 is run on an unsupported version, the updater will exit and post a message in the updater log.
System Changes Performed by Security Update 20
Important Security Changes
As a security improvement, SU20 disables the advertising of the version banner of the TURN server. To do this, SU20 deprecates support of TLS 1.0 and TLS 1.1 on the HTTPS web interface and the TURN TLS interface. After this update, the Vidyo WebRTC server will advertise TLS 1.2 only over HTTPS enabled interfaces as well as TURN TLS.
Specific security-related package updates:
Java |
||
---|---|---|
Product | Previous Version | SU20 Version |
Vidyo WebRTC | JRE 1.8 Update 144 | JRE 1.8 Update 181 |
This SU updates the configuration to use the random Diffie-Hellman parameters file (2048 bits).
Apache Web Server |
||
---|---|---|
Product | Previous Version | SU20 Version |
Vidyo WebRTC | 2.4.27 with OpenSSL 1.0.2k | 2.4.35 with OpenSSL 1.0.2p |
Apache Tomcat |
||
---|---|---|
Product | Previous Version | SU20 Version |
Vidyo WebRTC | 8.0.47 | 8.0.53 |
OpenSSL Dynamic Library |
||
---|---|---|
Product | Previous Version | SU20 Version |
Vidyo WebRTC | OpenSSL 1.0.2k | OpenSSL 1.0.2p |
Cotum |
||
---|---|---|
Product | Previous Version | SU20 Version |
Vidyo WebRTC | 4.5.0.6 | 4.5.0.7 |
NodeJS |
||
---|---|---|
Product | Previous Version | SU20 Version |
Vidyo WebRTC | 6.11.2 | 6.14.3 |
OpenSSH |
||
---|---|---|
Product | Previous Version | SU20 Version |
Vidyo WebRTC | 7.5p1 (OpenSSL 1.0.2k) | 7.8p1 (OpenSSL 1.0.2p) |
OpenSSH Security Improvements
- Devices are now configured to time out after 60 seconds for incomplete or broken SSH sessions by setting LoginGraceTime to 60 seconds.
- Addresses a security scan issue “Diffie-Hellman group smaller than 2048 bits (tls-dh-prime-under-2048-bits)” by removing groups lower than 2048 bits from /etc/ssh/moduli.
- Adds the following cipher, HMAC. and exchange algorithm lines to the sshd_config.default to strengthen SSH encryption:
- aes128-ctr,aes192-ctr,aes256-ctr
- hmac-sha2-256,hmac-sha2-512
- ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
These improvements require an SSH client that supports the above listed ciphers, HMACs, and key exchange algorithms. SSH clients that do not support these mechanisms will not be able to connect. Most modern updated SSH clients usually support these mechanisms.
Linux® Kernel Update
- SU20 will update the Linux Kernel to 4.14.57
Known Issues after Successfully Applying Security Update 20
Some vulnerability scanners may report a low to moderate level vulnerability of “TCP timestamp response (generic-tcp-timestamp)” and/or “ICMP timestamp response”, even after Security Update 20 is successfully applied.
Description: The remote host responded with a TCP timestamp. The TCP timestamp response can be used to approximate the remote host's uptime, potentially aiding in further attacks. Additionally, some operating systems can be fingerprinted based on the behavior of their TCP timestamps. At this time, Vidyo is reluctant to disable tcp_timestamps, as this could disrupt the packet communication needs of the protocols used for VidyoConferencing. Vidyo considers this vulnerability to be low, and this issue does not really affect the security of the Linux TCP stack in any meaningful way. ICMP may be blocked via a firewall to mitigate the ICMP specific tcp_timestamp issue.
Applying Security Update 20
If you have an on-premises VidyoWebRTC Server, you must perform the steps in this section to apply SU20. If you are a cloud customer, you can skip this section because Vidyo will perform the update for you.
VidyoWebRTC Server
To apply Security Update 20 for On-Premises:
- Log in to the Vidyo WebRTC Admin Configuration page: http://{Server IP or FQDN}.
- Click the Maintenance > Upgrade link.
- Click Choose File.
- Select and open the the vidyo-webrtc-3.2.2.0010-FF58P-bundle-v1175.vidyo file.
- Click Upgrade and Reboot on the Maintenance page.
The system will reboot after uploading the update package. - See Contacting Technical Support below for more information about getting assistance.
- Repeat steps 1 through 6 for each Vidyo WebRTC Server with the system.
- Test that each Vidyo WebRTC Server is functional.
The update process can take several minutes (allow 5 to 15 minutes for the process to complete once the server has stated it is restarting). You will not be able to access the system via the browser during the update process. After 15 minutes, you may manually refresh your browser to again access to the Vidyo WebRTC Server.
Contacting Technical Support
If you are a Vidyo Reseller or Vidyo End User with “Plus” coverage, please feel free to contact the Vidyo Customer Support team via email with any questions or if you need assistance.
- Phone: +1-866-99-VIDYO / +1-201-289-8597
- Email: support@vidyo.com
If you are a Vidyo End User without “Plus” coverage, please contact your Vidyo Reseller for further details.
Comments
0 comments
Please sign in to leave a comment.