Partners Blog Contact Us

Security Updates

Follow

This article describes the Security Updates for VidyoPortal, VidyoRouter, VidyoGateway, and VidyoReplay.

 

Important Notices

  • If you have an on-premises VidyoPortal, before applying SU21, Vidyo highly recommends that you back up your database and then download the backup to your local machine.
  • This update is applicable to all maintained Vidyo servers. For more information, please refer to the Vidyo Software Maintenance Policy.

 


Security Update 21


Security Update 21: VidyoPortal and VidyoRouter

Vidyo Server Security Update 21 (SU21) provides existing Vidyo servers (VidyoPortals and VidyoRouters) with updated packages and package configurations to address most known and current vulnerabilities (CVEs) at the time of the release of this Update, as noted in common OS and package security bulletins.

The updates and configuration changes applied by SU21 are outlined in this article below.

If you have an on-premises VidyoPortal and/or VidyoRouter, all the information in this article applies to you. In particular, you must follow the steps in the "Applying Security Update 21" section in order to physically perform the update.

If you are a cloud customer, Vidyo will install SU21 for you; however, you may want to read this article to understand the system changes that take place when SU21 is applied.

Security Update 21 Files 

This SU21 file... Is for...
Security_Update21-Rev016-G2signed.vidyo VidyoPortal version 18.2.1 or later (with SU17)
Security_Update21-Rev016-G2signed.vidyo VidyoRouter version 18.2.1 or later (with SU17)

Do not install SU21 on a version earlier than the versions listed in the preceding table. If SU21 is run on an unsupported version, the updater will exit and post a message in the updater log.

Updater Log

All updater messages are logged in an updater log file created during the update. This log file is used for any subsequent updates, and each updater will append its log messages to this file. At the end of the update process, this log file is then copied to a location that users can access and download for review via each product’s respective Web UI:

  • VidyoPortal: The updater log file is copied and available for download at Super Admin Pages > Settings > Maintenance > Database as follows: updat_{date}_{time}_{timezone}.log. The file can be downloaded or deleted as needed.</li />
  • VidyoRouter (Standalone): The updater log file is copied and available for download at /vr2conf pages /Logs as follows: vr2.log.updates{date}_{time}_{timezone}. The file can only be downloaded; it cannot be deleted.

System Changes Performed by Security Update 21 

Specific security-related package updates: 

Java

Product  Previous SU Version SU21 Version
VidyoPortal JRE 1.8 Update 181 JRE 1.8 Update 201
VidyoRouter JRE 1.8 Update 181 JRE 1.8 Update 201

This SU updates the configuration to use the random Diffie-Hellman parameters file (2048 bits).

Apache Web Server

Product  Previous SU Version SU21 Version
VidyoPortal 2.4.35 with OpenSSL 1.0.2p 2.4.38 with OpenSSL 1.0.2q
VidyoRouter 2.4.35 with OpenSSL 1.0.2p 2.4.38 with OpenSSL 1.0.2q

Apache Tomcat

Product  Previous SU Version SU21 Version
VidyoPortal 8.5.34 8.5.37
VidyoRouter 8.5.34 8.5.37

OpenSSL Dynamic Library

Product  Previous SU Version SU21 Version
VidyoPortal OpenSSL 1.0.2p OpenSSL 1.0.2q
VidyoRouter OpenSSL 1.0.2p OpenSSL 1.0.2q

Wget

Product  Previous SU Version SU21 Version
VidyoPortal 1.19.2 (OpenSSL 1.0.2p) 1.20 (OpenSSL 1.0.2q)
VidyoRouter 1.19.2 (OpenSSL 1.0.2p) 1.20 (OpenSSL 1.0.2q)

MySQL

Product  Previous SU Version SU21 Version
VidyoPortal 5.6.41 5.6.43

OpenSSH

Product  Previous SU Version SU21 Version
VidyoPortal 7.6p1 (OpenSSL 1.0.2p) 7.9p1 (OpenSSL 1.0.2q)
VidyoRouter 7.6p1 (OpenSSL 1.0.2p) 7.9p1 (OpenSSL 1.0.2q)

 

OpenSSH Security Improvements 

  • Devices are now configured to time out after 60 seconds for incomplete or broken SSH sessions by setting LoginGraceTime to 60 seconds.
  • Addresses a security scan issue “Diffie-Hellman group smaller than 2048 bits (tls-dh-prime-under-2048-bits)” by removing groups lower than 2048 bits from /etc/ssh/moduli.
  • Adds the following cipher, HMAC. and exchange algorithm lines to the sshd_config.default to strengthen SSH encryption:
    • aes128-ctr,aes192-ctr,aes256-ctr
    • hmac-sha2-256,hmac-sha2-512
    • ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

These improvements require an SSH client that supports the above listed ciphers, HMACs, and key exchange algorithms. SSH clients that do not support these mechanisms will not be able to connect. Most modern updated SSH clients usually support these mechanisms.

Linux® Kernel Update 

  • SU21 will update the Linux Kernel to 4.14.94

Known Issues after Successfully Applying Security Update 21

Some vulnerability scanners may report a low to moderate level vulnerability of “TCP timestamp response (generic-tcp-timestamp)” and/or “ICMP timestamp response”, even after Security Update 21 is successfully applied.

Description: The remote host responded with a TCP timestamp. The TCP timestamp response can be used to approximate the remote host's uptime, potentially aiding in further attacks. Additionally, some operating systems can be fingerprinted based on the behavior of their TCP timestamps. At this time, Vidyo is reluctant to disable tcp_timestamps, as this could disrupt the packet communication needs of the protocols used for VidyoConferencing. Vidyo considers this vulnerability to be low, and this issue does not really affect the security of the Linux TCP stack in any meaningful way. ICMP may be blocked via a firewall to mitigate the ICMP specific tcp_timestamp issue.

After upgrading to Security Update 21 and rebooting the system, the wrong alert message displays stating “Applied” instead of “Applied system rebooting.”

Applying Security Update 21 

If you have an on-premises VidyoPortal and VidyoRouter, you must perform the steps in this section to apply SU21. If you are a cloud customer, you can skip this section because Vidyo will perform the update for you.

VidyoPortal without Hot Standby 

For VidyoPortals configured with Hot Standby, see VidyoPortal with Hot Standby.

  1. Log in to the VidyoPortal Super Admin pages:

    http://{Portal IP or FQDN}/super.
  2. Navigate to Settings > Maintenance > Database.
  3. Click Backup to make a backup copy of the VidyoPortal database.
  4. Select the checkbox for the newly created database backup file.
  5. Click Download to download and save a copy of the database file.
  6. Navigate to Settings >Maintenance > Upgrade.
  7. Click Browse….
  8. Locate and select the appropriate .vidyo (as noted in the table on page 3) file from the file selection dialog box.
  9. Click Open.
  10. Click Upload.

    The system will reboot after uploading the update package.

    A copy of the updater log will be available for review. For more information, see Updater Log.
  11. Review the log to ensure the update completed successfully.

    A completed message will be noted near the end of the log file. If the log states the update did not complete or logged errors, review the log for the reason and address it as needed.

    See Contacting Technical Support below for more information about getting assistance.
  12. Test the VidyoPortal to ensure that it is functional. 

The update process can take several minutes (allow 5 to 15 minutes for the process to complete once the server has stated it is restarting). Do not attempt to refresh the browser and access the server until the process is complete. You will not be able to access the system via the browser during the update process. Once the update process is completed, your browser should refresh and you will be able to browse and log in to the system again. If your browser does not refresh to the login screen automatically after 30 minutes, then manually refresh your browser.

VidyoPortal with Hot Standby 

If you have a VidyoPortal configured with Hot Standby, you have two options for applying SU21:

  • Option 1 provides the least amount of down time, but may cause some Call Detail Records (CDR) records to be lost. This may occur because the VidyoPortal that is Active and the VidyoPortal that is Standby are switched, causing all database and CDR changes to be lost since the last successful synchronization.
  • Option 2 takes more time because you must take the system completely offline for full maintenance, but no CDR records will be lost.

Option 1 

With this option, you upgrade the Standby VidyoPortal first, sync the two VidyoPortals, and then switch VidyoPortals.

  1. Place the VidyoPortal that is currently the Standby VidyoPortal (i.e., VidyoPortal 2) into Maintenance mode.
  2. Apply SU21 to the VidyoPortal that is in Maintenance mode.
  3. Return the VidyoPortal to Standby mode by disabling Maintenance mode after the upgrade is complete and the server is restarted.
  4. Access the Super Admin pages on the Active VidyoPortal to ensure that the databases have been synchronized successfully:

    a.) Navigate to Settings > Hot Standby > Status.

    b.) Verify that the sync has completed by ensuring the Database Synchronization field displays that the databases are “In Sync.”
  5. Switch the VidyoPortals:

    a.) Navigate to Settings > Hot Standby > Status.

    b.) Click Force Standby.

    c.) Click Yes in the Confirmation dialog box to force the Active VidyoPortal into Standby mode.
  6. Place the previous Active VidyoPortal that is now the Standby VidyoPortal (i.e., VidyoPortal 1) into Maintenance mode after the VidyoPortals have been switched.
  7. Apply SU21 to the VidyoPortal that is in Maintenance mode.
  8. Return the VidyoPortal to Standby mode by disabling Maintenance mode after the upgrade is complete and the server is restarted.

Option 2

With this option, you place both servers into Maintenance mode, upgrade both, and then return them to their original Active and Standby modes.

  1. Place the VidyoPortal that is currently the Standby VidyoPortal (i.e., VidyoPortal 2) into Maintenance mode.
  2. Place the VidyoPortal that is currently the Active VidyoPortal (i.e., VidyoPortal 1) into Maintenance mode.
  3. Return the VidyoPortal that was originally the Active VidyoPortal (i.e., VidyoPortal 1) to Active mode first after the upgrades are complete and the servers have restarted.
  4. Return the VidyoPortal that was originally the Standby VidyoPortal (i.e., VidyoPortal 2) to Standby mode.

Standalone VidyoRouter 

  1. Log in to the Standalone VidyoRouter configuration pages:

    http://{Router IP or FQDN}/vr2conf
  2. Click the Upload tab.
  3. Click Upload and Upgrade.
  4. Locate and select the appropriate .vidyo file above for VidyoRouter.
  5. Click OK in the pop-up.

    The system will reboot after uploading the update package.

    A copy of the Updater log will be available for review. For more information, see Updater Log.
  6. Review the log to ensure the update completed successfully.

    A completed message will be noted near the end of the log file. If the log states the update did not complete or logged errors, review the log for the reason and address it as needed. See Contacting Technical Support for more information about getting assistance.
  7. Repeat steps 1 through 6 for each Standalone VidyoRouter in the system.
  8. Test that the VidyoPortal and each VidyoRouter is functional.

The update process can take several minutes (allow 5 to 10 minutes for the process to complete once the server has stated it is restarting). You will not be able to access the system via the browser during the update process. After 15 minutes, you may manually refresh your browser to gain access to the VidyoRouter.

 


Security Update 21: VidyoGateway

Vidyo Server Security Update 21 (SU21) provides existing VidyoGateway servers with updated packages and package configurations to address most known and current vulnerabilities (CVEs) at the time of the release of this Update, as noted in common OS and package security bulletins.

The updates and configuration changes applied by SU21 are outlined in this article below.

If you have an on-premises VidyoGateway, all the information in this article applies to you. In particular, you must follow the steps in the "Applying Security Update 21" section in order to physically perform the update.

If you are a cloud customer, Vidyo will install SU21 for you; however, you may want to read this article to understand the system changes that take place when SU21 is applied.

Security Update 21 Files 

This SU21 file... Is for...
Security_Update_21-VGW-bundle-v1375.vidyo VidyoGateway version 3.5.2

Do not install SU21 on a version earlier than the versions listed in the preceding table. If SU21 is run on an unsupported version, the updater will exit and post a message in the updater log.

System Changes Performed by Security Update 21 

Apache Web Server

Product  Previous SU Version SU21 Version
VidyoGateway 2.4.35 with OpenSSL 1.0.2q 2.4.38 with OpenSSL 1.0.2q

This SU updates the configuration to use the random Diffie-Hellman parameters file (2048 bits).

Apache Tomcat

Product  Previous SU Version SU21 Version
VidyoGateway 8.5.35 8.5.37

OpenSSL Dynamic Library

Product  Previous SU Version SU21 Version
VidyoGateway OpenSSL 1.0.2p OpenSSL 1.0.2q

Wget

Product  Previous SU Version SU21 Version
VidyoGateway 1.19.2 (OpenSSL 1.0.2p) 1.20 (OpenSSL 1.0.2q)

OpenSSH

Product  Previous SU Version SU21 Version
VidyoGateway 7.8p1 (OpenSSL 1.0.2p) 7.9p1 (OpenSSL 1.0.2q)

OpenSSH Security Improvements

  • Devices are now configured to time out after 60 seconds for incomplete or broken SSH sessions by setting LoginGraceTime to 60 seconds.
  • Addresses a security scan issue “Diffie-Hellman group smaller than 2048 bits (tls-dh-prime-under-2048-bits)” by removing groups lower than 2048 bits from /etc/ssh/moduli.
  • Adds the following cipher, HMAC, and exchange algorithm lines to the sshd_config.default to strengthen SSH encryption:
    • aes128-ctr,aes192-ctr,aes256-ctr
    • hmac-sha2-256,hmac-sha2-512
    • ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

These improvements require an SSH client that supports the above listed ciphers, HMACs, and key exchange algorithms. SSH clients that do not support these mechanisms will not be able to connect. Most modern updated SSH clients usually support these mechanisms.

Linux® Kernel Update

  • SU21 will update the Linux Kernel to 4.14.94

Known Issues after Successfully Applying Security Update 21

Some vulnerability scanners may report a low to moderate level vulnerability of “TCP timestamp response (generic-tcp-timestamp)” and/or “ICMP timestamp response”, even after Security Update 21 is successfully applied.

Description: The remote host responded with a TCP timestamp. The TCP timestamp response can be used to approximate the remote host's uptime, potentially aiding in further attacks. Additionally, some operating systems can be fingerprinted based on the behavior of their TCP timestamps. At this time, Vidyo is reluctant to disable tcp_timestamps, as this could disrupt the packet communication needs of the protocols used for VidyoConferencing. Vidyo considers this vulnerability to be low, and this issue does not really affect the security of the Linux TCP stack in any meaningful way. ICMP may be blocked via a firewall to mitigate the ICMP specific tcp_timestamp issue.

Applying Security Update 21

If you have an on-premise VidyoGateway, you must perform the steps in this section to apply SU21. If you are a cloud customer, you can skip this section because Vidyo will perform the update for you.

  1. Log in to the VidyoGateway Configuration page:
    http://{Gateway IP or FQDN}.
  2. Click the Upgrade Gateway link.
  3. Click Browse.
  4. Select and open the the Security_Update_21-VGW-bundle-v1375.vidyo file.
  5. Click Upload and Install on the Upgrade Gateway page.
    The system will reboot after uploading the update package. A copy of the Updater log will be available for review.
    Note: The update process can take several minutes (allow 5 to 10 minutes for the process to complete once the server has stated it is restarting). You will not be able to access the system via the browser during the update process. After 15 minutes, you may manually refresh your browser to again access to the VidyoGateway.
  6. Review the log to ensure the update completed successfully.
    A completed message will be noted near the end of the log file. If the log states the update did not complete or logged errors, review the log for the reason and address it as needed.
  7. See the "Contacting Technical Support" section of this article for more information about getting assistance.
  8. Repeat steps 1 through 6 for each VidyoGateway with the system.
  9. Test that each VidyoGateway is functional.

 


Security Update 21: VidyoReplay

Vidyo Server Security Update 21 (SU21) provides existing VidyoReplay servers with updated packages and package configurations to address most known and current vulnerabilities (CVEs) at the time of the release of this Update, as noted in common OS and package security bulletins.

The updates and configuration changes applied by SU21 are outlined in this article below.

If you have an on-premises VidyoReplay, all the information in this article applies to you. In particular, you must follow the steps in the "Applying Security Update 21" section in order to physically perform the update.

If you are a cloud customer, Vidyo will install SU21 for you; however, you may want to read this article to understand the system changes that take place when SU21 is applied.

Security Update 21 Files 

This SU21 file... Is for...
Security_Update_21_VRP_Rev016-signed.vidyo VidyoReplay version 3.1.4(05) or later

Do not install SU21 on a version earlier than the versions listed in the preceding table. If SU21 is run on an unsupported version, the updater will exit and post a message in the updater log.

System Changes Performed by Security Update 21

Specific security-related package updates: 

Apache Web Server

Product  Previous SU Version SU21 Version
VidyoReplay 2.4.35 with OpenSSL 1.0.2p 2.4.38 with OpenSSL 1.0.2q

 

This SU updates the configuration to use the random Diffie-Hellman parameters file (2048 bits).

OpenSSL Dynamic Library

Product  Previous SU Version SU21 Version
VidyoReplay OpenSSL 1.0.2p OpenSSL 1.0.21

Postgresql

Product  Previous SU Version SU21 Version
VidyoReplay 9.3.24 9.3.24

OpenSSH

Product  Previous SU Version SU21 Version
VidyoReplay 7.6p1 (OpenSSL 1.0.2p) 7.9p1 (OpenSSL 1.0.2q)

OpenSSH Security Improvements

  • Devices are now configured to time out after 60 seconds for incomplete or broken SSH sessions by setting LoginGraceTime to 60 seconds.
  • Addresses a security scan issue “Diffie-Hellman group smaller than 2048 bits (tls-dh-prime-under-2048-bits)” by removing groups lower than 2048 bits from /etc/ssh/moduli.
  • Adds the following cipher, HMAC, and exchange algorithm lines to the sshd_config.default to strengthen SSH encryption:
    • aes128-ctr,aes192-ctr,aes256-ctr
    • hmac-sha2-256,hmac-sha2-512
    • ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

These improvements require an SSH client that supports the above listed ciphers, HMACs, and key exchange algorithms. SSH clients that do not support these mechanisms will not be able to connect. Most modern updated SSH clients usually support these mechanisms.

Linux® Kernel Update

  • SU21 will update the Linux Kernel to 4.14.94

Known Issues after Successfully Applying Security Update 21

Some vulnerability scanners may report a low to moderate level vulnerability of “TCP timestamp response (generic-tcp-timestamp)” and/or “ICMP timestamp response”, even after Security Update 21 is successfully applied.

Description: The remote host responded with a TCP timestamp. The TCP timestamp response can be used to approximate the remote host's uptime, potentially aiding in further attacks. Additionally, some operating systems can be fingerprinted based on the behavior of their TCP timestamps. At this time, Vidyo is reluctant to disable tcp_timestamps, as this could disrupt the packet communication needs of the protocols used for VidyoConferencing. Vidyo considers this vulnerability to be low, and this issue does not really affect the security of the Linux TCP stack in any meaningful way. ICMP may be blocked via a firewall to mitigate the ICMP specific tcp_timestamp issue.

Applying Security Update 21

If you have an on-premise VidyoReplay, you must perform the steps in this section to apply SU21. If you are a cloud customer, you can skip this section because Vidyo will perform the update for you.

Upgrading Your VidyoReplay

Before upgrading your VidyoReplay, put your server in to Maintenance Mode.

 

To upgrade your VidyoReplay:

  1. Log in to the VidyoReplay using the default Super account.  For more information, see Logging in to the VidyoReplay in the VidyoReplay Administrator Guide.
  2. Click the Settings link. For more information, see Accessing System Settings in the VidyoReplay Administrator Guide.
  3. Click the Maintenance tab.

    maintenance_tab.png

    Note: The Choose File and Upload & Install fields only appear when your VidyoReplay is in Maintenance Mode. For more information, see Using Maintenance Mode in the VidyoReplay Administrator Guide.

    As the system warning indicates, “Upgrading will overwrite the current installation. VidyoReplay will reboot after the upgrade.”

  4. Click Choose File.
  5. Locate the Security Update 21 file above on your computer or network location.
  6. Click Open.
  7. Click Upload & Install.

 


Security Update 20


Security Update 20: VidyoPortal and VidyoRouter

Vidyo Server Security Update 20 (SU20) provides existing Vidyo servers (VidyoPortals and VidyoRouters) with updated packages and package configurations to address most known and current vulnerabilities (CVEs) at the time of the release of this Update, as noted in common OS and package security bulletins.

The updates and configuration changes applied by SU20 are outlined in this article below.

If you have an on-premises VidyoPortal and/or VidyoRouter, all the information in this article applies to you. In particular, you must follow the steps in the "Applying Security Update 20" section in order to physically perform the update.

If you are a cloud customer, Vidyo will install SU20 for you; however, you may want to read this article to understand the system changes that take place when SU20 is applied.

Security Update 20 Files 

This SU20 file... Is for...
Security_Update20-Rev013-G2signed.vidyo VidyoPortal version 18.2.0 or later (with SU17)
Security_Update20-Rev013-G2signed.vidyo VidyoRouter version 18.2.0 or later (with SU17)

 

Do not install SU20 on a version earlier than the versions listed in the preceding table. If SU20 is run on an unsupported version, the updater will exit and post a message in the updater log.

Updater Log

All updater messages are logged in an updater log file created during the update. This log file is used for any subsequent updates, and each updater will append its log messages to this file. At the end of the update process, this log file is then copied to a location that users can access and download for review via each product’s respective Web UI:

  • VidyoPortal: The updater log file is copied and available for download at Super Admin Pages > Settings > Maintenance > Database as follows: updat_{date}_{time}_{timezone}.log. The file can be downloaded or deleted as needed.</li />
  • VidyoRouter (Standalone): The updater log file is copied and available for download at /vr2conf pages /Logs as follows: vr2.log.updates{date}_{time}_{timezone}. The file can only be downloaded; it cannot be deleted.

System Changes Performed by Security Update 20

Specific security-related package updates:

Java

Product  SU19 Version SU20 Version
VidyoPortal JRE 1.8 Update 181 JRE 1.8 Update 181
VidyoRouter JRE 1.8 Update 181 JRE 1.8 Update 181

 

This SU updates the configuration to use the random Diffie-Hellman parameters file (2048 bits).

 

Apache Web Server

Product  SU19 Version SU20 Version
VidyoPortal 2.4.34 with OpenSSL 1.0.2o 2.4.35 with OpenSSL 1.0.2p
VidyoRouter 2.4.34 with OpenSSL 1.0.2o 2.4.35 with OpenSSL 1.0.2p

 

Apache Tomcat

Product  SU19 Version SU20 Version
VidyoPortal 8.0.53 8.5.34
VidyoRouter 8.0.53 8.5.34

 

OpenSSL Dynamic Library

Product  SU19 Version SU20 Version
VidyoPortal OpenSSL 1.0.2o OpenSSL 1.0.2p
VidyoRouter OpenSSL 1.0.2o OpenSSL 1.0.2p

 

Wget

Product  SU19 Version SU20 Version
VidyoPortal 1.19.2 (OpenSSL 1.0.2o) 1.19.2 (OpenSSL 1.0.2p)
VidyoRouter 1.19.2 (OpenSSL 1.0.2o) 1.19.2 (OpenSSL 1.0.2p)

 

MySQL

Product  SU19 Version SU20 Version
VidyoPortal 5.6.40 Community Edition 5.6.41 Community Edition

 

OpenSSH

Product  SU19 Version SU20 Version
VidyoPortal 7.6p1 (OpenSSL 1.0.2o) 7.6p1 (OpenSSL 1.0.2p)
VidyoRouter 7.6p1 (OpenSSL 1.0.2o) 7.6p1 (OpenSSL 1.0.2p)

 

OpenSSH Security Improvements

  • Devices are now configured to time out after 60 seconds for incomplete or broken SSH sessions by setting LoginGraceTime to 60 seconds.
  • Addresses a security scan issue “Diffie-Hellman group smaller than 2048 bits (tls-dh-prime-under-2048-bits)” by removing groups lower than 2048 bits from /etc/ssh/moduli.
  • Adds the following cipher, HMAC. and exchange algorithm lines to the sshd_config.default to strengthen SSH encryption:
    • aes128-ctr,aes192-ctr,aes256-ctr
    • hmac-sha2-256,hmac-sha2-512
    • ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

These improvements require an SSH client that supports the above listed ciphers, HMACs, and key exchange algorithms. SSH clients that do not support these mechanisms will not be able to connect. Most modern updated SSH clients usually support these mechanisms.

Linux® Kernel Update

  • SU20 will update the Linux Kernel to 4.14.57

Known Issues after Successfully Applying Security Update 20

Some vulnerability scanners may report a low to moderate level vulnerability of “TCP timestamp response (generic-tcp-timestamp)” and/or “ICMP timestamp response”, even after Security Update 20 is successfully applied.

Description: The remote host responded with a TCP timestamp. The TCP timestamp response can be used to approximate the remote host's uptime, potentially aiding in further attacks. Additionally, some operating systems can be fingerprinted based on the behavior of their TCP timestamps. At this time, Vidyo is reluctant to disable tcp_timestamps, as this could disrupt the packet communication needs of the protocols used for VidyoConferencing. Vidyo considers this vulnerability to be low, and this issue does not really affect the security of the Linux TCP stack in any meaningful way. ICMP may be blocked via a firewall to mitigate the ICMP specific tcp_timestamp issue.

After upgrading to Security Update 20 and rebooting the system, the wrong alert message displays stating “Applied” instead of “Applied system rebooting.”

Applying Security Update 20

If you have an on-premises VidyoPortal and VidyoRouter, you must perform the steps in this section to apply SU20. If you are a cloud customer, you can skip this section because Vidyo will perform the update for you.

VidyoPortal without Hot Standby

For VidyoPortals configured with Hot Standby, see VidyoPortal with Hot Standby.

  1. Log in to the VidyoPortal Super Admin pages:
    http://{Portal IP or FQDN}/super.
  2. Navigate to Settings > Maintenance > Database.
  3. Click Backup to make a backup copy of the VidyoPortal database.
  4. Select the checkbox for the newly created database backup file.
  5. Click Download to download and save a copy of the database file.
  6. Navigate to Settings >Maintenance > Upgrade.
  7. Click Browse….
  8. Locate and select the appropriate .vidyo (as noted in the table on page 3) file from the file selection dialog box.
  9. Click Open.
  10. Click Upload.

    The system will reboot after uploading the update package.

    A copy of the updater log will be available for review. For more information, see Updater Log.
  11. Review the log to ensure the update completed successfully.

    A completed message will be noted near the end of the log file. If the log states the update did not complete or logged errors, review the log for the reason and address it as needed.

    See Contacting Technical Support below for more information about getting assistance.
  12. Test the VidyoPortal to ensure that it is functional.

The update process can take several minutes (allow 5 to 15 minutes for the process to complete once the server has stated it is restarting). Do not attempt to refresh the browser and access the server until the process is complete. You will not be able to access the system via the browser during the update process. Once the update process is completed, your browser should refresh and you will be able to browse and log in to the system again. If your browser does not refresh to the login screen automatically after 30 minutes, then manually refresh your browser.

VidyoPortal with Hot Standby

If you have a VidyoPortal configured with Hot Standby, you have two options for applying SU20:

  • Option 1 provides the least amount of down time, but may cause some Call Detail Records (CDR) records to be lost. This may occur because the VidyoPortal that is Active and the VidyoPortal that is Standby are switched, causing all database and CDR changes to be lost since the last successful synchronization.
  • Option 2 takes more time because you must take the system completely offline for full maintenance, but no CDR records will be lost.

Option 1

With this option, you upgrade the Standby VidyoPortal first, sync the two VidyoPortals, and then switch VidyoPortals.

If you are using VidyoPortal 3.4.4 or later, do the following:

  1. Place the VidyoPortal that is currently the Standby VidyoPortal (i.e., VidyoPortal 2) into Maintenance mode.
  2. Apply SU20 to the VidyoPortal that is in Maintenance mode.
  3. Return the VidyoPortal to Standby mode by disabling Maintenance mode after the upgrade is complete and the server is restarted.
  4. Access the Super Admin pages on the Active VidyoPortal to ensure that the databases have been synchronized successfully:

    a.) Navigate to Settings > Hot Standby > Status.

    b.) Verify that the sync has completed by ensuring the Database Synchronization field displays that the databases are “In Sync.”
  5. Switch the VidyoPortals:

    a.) Navigate to Settings > Hot Standby > Status.

    b.) Click Force Standby.

    c.) Click Yes in the Confirmation dialog box to force the Active VidyoPortal into Standby mode.
  6. Place the previous Active VidyoPortal that is now the Standby VidyoPortal (i.e., VidyoPortal 1) into Maintenance mode after the VidyoPortals have been switched.
  7. Apply SU20 to the VidyoPortal that is in Maintenance mode.
  8. Return the VidyoPortal to Standby mode by disabling Maintenance mode after the upgrade is complete and the server is restarted.

 

Option 2

With this option, you place both servers into Maintenance mode, upgrade both, and then return them to their original Active and Standby modes.

  1. Place the VidyoPortal that is currently the Standby VidyoPortal (i.e., VidyoPortal 2) into Maintenance mode.
  2. Place the VidyoPortal that is currently the Active VidyoPortal (i.e., VidyoPortal 1) into Maintenance mode.
  3. Return the VidyoPortal that was originally the Active VidyoPortal (i.e., VidyoPortal 1) to Active mode first after the upgrades are complete and the servers have restarted.
  4. Return the VidyoPortal that was originally the Standby VidyoPortal (i.e., VidyoPortal 2) to Standby mode.

 

Standalone VidyoRouter

  1. Log in to the Standalone VidyoRouter configuration pages:
    http://{Router IP or FQDN}/vr2conf.z
  2. Click the Upload tab.
  3. Click Upload and Upgrade.
  4. Locate and select the appropriate .vidyo file (as noted in the table on page 3) for 64-bit VidyoRouters (64-bit VidyoRouters will have “(64-bit)” in the Ver: name as displayed on the Upload page).
  5. Click OK in the pop-up.

    The system will reboot after uploading the update package.

    A copy of the Updater log will be available for review. For more information, see Updater Log.
  6. Review the log to ensure the update completed successfully.

    A completed message will be noted near the end of the log file. If the log states the update did not complete or logged errors, review the log for the reason and address it as needed. See Contacting Technical Support for more information about getting assistance.
  7. Repeat steps 1 through 6 for each Standalone VidyoRouter in the system.
  8. Test that the VidyoPortal and each VidyoRouter is functional.

The update process can take several minutes (allow 5 to 10 minutes for the process to complete once the server has stated it is restarting). You will not be able to access the system via the browser during the update process. After 15 minutes, you may manually refresh your browser to gain access to the VidyoRouter.

 


Security Update 20: VidyoGateway

Vidyo Server Security Update 20 (SU20) provides existing VidyoGateway servers with updated packages and package configurations to address most known and current vulnerabilities (CVEs) at the time of the release of this Update, as noted in common OS and package security bulletins.

The updates and configuration changes applied by SU20 are outlined in this article below.

If you have an on-premises VidyoGateway, all the information in this article applies to you. In particular, you must follow the steps in the "Applying Security Update 20" section in order to physically perform the update.

If you are a cloud customer, Vidyo will install SU20 for you; however, you may want to read this article to understand the system changes that take place when SU20 is applied.

Security Update 20 Files 

This SU20 file... Is for...
Security_Update-VGW-SU20-bundle-v1176.vidyo VidyoGateway version 3.5.2

 

Do not install SU20 on a version earlier than the versions listed in the preceding table. If SU20 is run on an unsupported version, the updater will exit and post a message in the updater log.

 

System Changes Performed by Security Update 20

 

Apache Web Server

Product  Previous Version SU20 Version
VidyoGateway 2.4.34 with OpenSSL 1.0.2o 2.4.35 with OpenSSL 1.0.2p

 

This SU updates the configuration to use the random Diffie-Hellman parameters file (2048 bits).

 

Apache Tomcat

Product  Previous Version SU20 Version
VidyoGateway 8.5.32 8.5.35

 

OpenSSL Dynamic Library

Product  Previous Version SU20 Version
VidyoGateway OpenSSL 1.0.2o OpenSSL 1.0.2p

 

Wget

Product  Previous Version SU20 Version
VidyoGateway 1.19.2 (OpenSSL 1.0.2o) 1.19.2 (OpenSSL 1.0.2p)

 

OpenSSH

Product  Previous Version SU20 Version
VidyoGateway 7.6p1 (OpenSSL 1.0.2o) 7.8p1 (OpenSSL 1.0.2p)

 

OpenSSH Security Improvements

  • Devices are now configured to time out after 60 seconds for incomplete or broken SSH sessions by setting LoginGraceTime to 60 seconds.
  • Addresses a security scan issue “Diffie-Hellman group smaller than 2048 bits (tls-dh-prime-under-2048-bits)” by removing groups lower than 2048 bits from /etc/ssh/moduli.
  • Adds the following cipher, HMAC, and exchange algorithm lines to the sshd_config.default to strengthen SSH encryption:
    • aes128-ctr,aes192-ctr,aes256-ctr
    • hmac-sha2-256,hmac-sha2-512
    • ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

These improvements require an SSH client that supports the above listed ciphers, HMACs, and key exchange algorithms. SSH clients that do not support these mechanisms will not be able to connect. Most modern updated SSH clients usually support these mechanisms.

Linux® Kernel Update

  • SU20 will update the Linux Kernel to 4.14.74

Known Issues after Successfully Applying Security Update 20

Some vulnerability scanners may report a low to moderate level vulnerability of “TCP timestamp response (generic-tcp-timestamp)” and/or “ICMP timestamp response”, even after Security Update 20 is successfully applied.

Description: The remote host responded with a TCP timestamp. The TCP timestamp response can be used to approximate the remote host's uptime, potentially aiding in further attacks. Additionally, some operating systems can be fingerprinted based on the behavior of their TCP timestamps. At this time, Vidyo is reluctant to disable tcp_timestamps, as this could disrupt the packet communication needs of the protocols used for VidyoConferencing. Vidyo considers this vulnerability to be low, and this issue does not really affect the security of the Linux TCP stack in any meaningful way. ICMP may be blocked via a firewall to mitigate the ICMP specific tcp_timestamp issue.

Applying Security Update 20

If you have an on-premise VidyoGateway, you must perform the steps in this section to apply SU20. If you are a cloud customer, you can skip this section because Vidyo will perform the update for you.

 

  1. Log in to the VidyoGateway Configuration page:
    http://{Gateway IP or FQDN}.
  2. Click the Upgrade Gateway link.
  3. Click Browse.
  4. Select and open the Security_Update-VGW-SU20-bundle-v1176.vidyo file.
  5. Click Upload and Install on the Upgrade Gateway page.
    The system will reboot after uploading the update package. A copy of the Updater log will be available for review.

    Note: The update process can take several minutes (allow 5 to 10 minutes for the process to complete once the server has stated it is restarting). You will not be able to access the system via the browser during the update process. After 15 minutes, you may manually refresh your browser to again access to the VidyoGateway.
  6. Review the log to ensure the update completed successfully.
    A completed message will be noted near the end of the log file. If the log states the update did not complete or logged errors, review the log for the reason and address it as needed.
  7. See the "Contacting Technical Support" section of this article for more information about getting assistance.
  8. Repeat steps 1 through 6 for each VidyoGateway with the system.
  9. Test that each VidyoGateway is functional.

 


Security Update 20: VidyoReplay 

Vidyo Server Security Update 20 (SU20) provides existing VidyoReplay servers with updated packages and package configurations to address most known and current vulnerabilities (CVEs) at the time of the release of this Update, as noted in common OS and package security bulletins.

The updates and configuration changes applied by SU20 are outlined in this article below.

If you have an on-premises VidyoReplay, all the information in this article applies to you. In particular, you must follow the steps in the "Applying Security Update 20" section in order to physically perform the update.

If you are a cloud customer, Vidyo will install SU20 for you; however, you may want to read this article to understand the system changes that take place when SU20 is applied.

Security Update 20 Files 

This SU20 file... Is for...
Security_Update_20_VRP_Rev013-signed.vidyo VidyoReplay version 3.1.4(05) or later

 

Do not install SU20 on a version earlier than the versions listed in the preceding table. If SU20 is run on an unsupported version, the updater will exit and post a message in the updater log.

System Changes Performed by Security Update 20

Specific security-related package updates: 

Apache Web Server

Product  Previous Version SU20 Version
VidyoReplay 2.4.33 with OpenSSL 1.0.2o 2.4.35 with OpenSSL 1.0.2p

This SU updates the configuration to use the random Diffie-Hellman parameters file (2048 bits).

 

OpenSSL Dynamic Library

Product  Previous Version SU20 Version
VidyoReplay OpenSSL 1.0.2o OpenSSL 1.0.2p

 

Postgresql

Product  Previous Version SU20 Version
VidyoReplay 9.3.23 9.3.24

 

OpenSSH

Product  Previous Version SU20 Version
VidyoReplay 7.6p1 (OpenSSL 1.0.2o) 7.6p1 (OpenSSL 1.0.2p)

 

OpenSSH Security Improvements

  • Devices are now configured to time out after 60 seconds for incomplete or broken SSH sessions by setting LoginGraceTime to 60 seconds.
  • Addresses a security scan issue “Diffie-Hellman group smaller than 2048 bits (tls-dh-prime-under-2048-bits)” by removing groups lower than 2048 bits from /etc/ssh/moduli.
  • Adds the following cipher, HMAC, and exchange algorithm lines to the sshd_config.default to strengthen SSH encryption:
    • aes128-ctr,aes192-ctr,aes256-ctr
    • hmac-sha2-256,hmac-sha2-512
    • ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

These improvements require an SSH client that supports the above listed ciphers, HMACs, and key exchange algorithms. SSH clients that do not support these mechanisms will not be able to connect. Most modern updated SSH clients usually support these mechanisms.

Linux® Kernel Update

  • SU20 will update the Linux Kernel to 4.14.73

 

Known Issues after Successfully Applying Security Update 20

Some vulnerability scanners may report a low to moderate level vulnerability of “TCP timestamp response (generic-tcp-timestamp)” and/or “ICMP timestamp response”, even after Security Update 20 is successfully applied.

Description: The remote host responded with a TCP timestamp. The TCP timestamp response can be used to approximate the remote host's uptime, potentially aiding in further attacks. Additionally, some operating systems can be fingerprinted based on the behavior of their TCP timestamps. At this time, Vidyo is reluctant to disable tcp_timestamps, as this could disrupt the packet communication needs of the protocols used for VidyoConferencing. Vidyo considers this vulnerability to be low, and this issue does not really affect the security of the Linux TCP stack in any meaningful way. ICMP may be blocked via a firewall to mitigate the ICMP specific tcp_timestamp issue.

Applying Security Update 20

If you have an on-premise VidyoReplay, you must perform the steps in this section to apply SU20. If you are a cloud customer, you can skip this section because Vidyo will perform the update for you.

Upgrading Your VidyoReplay

Before upgrading your VidyoReplay, put your server in to Maintenance Mode.

To upgrade your VidyoReplay:

  1. Log in to the VidyoReplay using the default Super account.  For more information, see Logging in to the VidyoReplay in the VidyoReplay Administrator Guide.
  2. Click the Settings link. For more information, see Accessing System Settings in the VidyoReplay Administrator Guide.
  3. Click the Maintenance tab.

    maintenance_tab.png

    Note: The Choose File and Upload & Install fields only appear when your VidyoReplay is in Maintenance Mode. For more information, see Using Maintenance Mode in the VidyoReplay Administrator Guide.

    As the system warning indicates, “Upgrading will overwrite the current installation. VidyoReplay will reboot after the upgrade.”

  4. Click Choose File.
  5. Locate the Security_Update_20_VRP_Rev013-signed.vidyo file on your computer or network location.
  6. Click Open.
  7. Click Upload & Install.

 


Security Update 20: WebRTC 3.2 Server

Vidyo Server Security Update 20 (SU20) provides existing WebRTC 3.2 servers with updated packages and package configurations to address most known and current vulnerabilities (CVEs) at the time of the release of this Update, as noted in common OS and package security bulletins.

The updates and configuration changes applied by SU20 are outlined in this article below.

If you have an on-premises WebRTC 3.2. Server, all the information in this article applies to you. In particular, you must follow the steps in the "Applying Security Update 20" section in order to physically perform the update.

If you are a cloud customer, Vidyo will install SU20 for you; however, you may want to read this article to understand the system changes that take place when SU20 is applied.

Security Update 20 Files 

This SU20 file... Is for...
vidyo-webrtc-3.2.2.0010-FF58P-bundle- v1175.vidyo VidyoWebRTC Server version 3.2.2

 

Do not install SU20 on a version earlier than the versions listed in the preceding table. If SU20 is run on an unsupported version, the updater will exit and post a message in the updater log. 

 

System Changes Performed by Security Update 20

Important Security Changes

As a security improvement, SU20 disables the advertising of the version banner of the TURN server.  To do this, SU20 deprecates support of TLS 1.0 and TLS 1.1 on the HTTPS web interface and the TURN TLS interface. After this update, the Vidyo WebRTC server will advertise TLS 1.2 only over HTTPS enabled interfaces as well as TURN TLS.

Specific security-related package updates:

Java

Product  Previous Version SU20 Version
Vidyo WebRTC JRE 1.8 Update 144 JRE 1.8 Update 181

 

This SU updates the configuration to use the random Diffie-Hellman parameters file (2048 bits).

 

Apache Web Server

Product  Previous Version SU20 Version
Vidyo WebRTC 2.4.27 with OpenSSL 1.0.2k 2.4.35 with OpenSSL 1.0.2p

 

Apache Tomcat

Product  Previous Version SU20 Version
Vidyo WebRTC 8.0.47 8.0.53

 

OpenSSL Dynamic Library

Product  Previous Version SU20 Version
Vidyo WebRTC OpenSSL 1.0.2k OpenSSL 1.0.2p

 

Cotum

Product  Previous Version SU20 Version
Vidyo WebRTC 4.5.0.6 4.5.0.7

 

NodeJS

Product  Previous Version SU20 Version
Vidyo WebRTC 6.11.2 6.14.3

 

OpenSSH

Product  Previous Version SU20 Version
Vidyo WebRTC 7.5p1 (OpenSSL 1.0.2k) 7.8p1 (OpenSSL 1.0.2p)

 

OpenSSH Security Improvements

  • Devices are now configured to time out after 60 seconds for incomplete or broken SSH sessions by setting LoginGraceTime to 60 seconds.
  • Addresses a security scan issue “Diffie-Hellman group smaller than 2048 bits (tls-dh-prime-under-2048-bits)” by removing groups lower than 2048 bits from /etc/ssh/moduli.
  • Adds the following cipher, HMAC. and exchange algorithm lines to the sshd_config.default to strengthen SSH encryption:
    • aes128-ctr,aes192-ctr,aes256-ctr
    • hmac-sha2-256,hmac-sha2-512
    • ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

These improvements require an SSH client that supports the above listed ciphers, HMACs, and key exchange algorithms. SSH clients that do not support these mechanisms will not be able to connect. Most modern updated SSH clients usually support these mechanisms.

Linux® Kernel Update

  • SU20 will update the Linux Kernel to 4.14.57

 

Known Issues after Successfully Applying Security Update 20

Some vulnerability scanners may report a low to moderate level vulnerability of “TCP timestamp response (generic-tcp-timestamp)” and/or “ICMP timestamp response”, even after Security Update 20 is successfully applied.

Description: The remote host responded with a TCP timestamp. The TCP timestamp response can be used to approximate the remote host's uptime, potentially aiding in further attacks. Additionally, some operating systems can be fingerprinted based on the behavior of their TCP timestamps. At this time, Vidyo is reluctant to disable tcp_timestamps, as this could disrupt the packet communication needs of the protocols used for VidyoConferencing. Vidyo considers this vulnerability to be low, and this issue does not really affect the security of the Linux TCP stack in any meaningful way. ICMP may be blocked via a firewall to mitigate the ICMP specific tcp_timestamp issue.

 

Applying Security Update 20

If you have an on-premises VidyoWebRTC Server, you must perform the steps in this section to apply SU20. If you are a cloud customer, you can skip this section because Vidyo will perform the update for you.

VidyoWebRTC Server

To apply Security Update 20 for On-Premises: 

  1. Log in to the Vidyo WebRTC Admin Configuration page: http://{Server IP or FQDN}.
  2. Click the Maintenance > Upgrade link.
  3. Click Choose File. 
  4. Select and open the the vidyo-webrtc-3.2.2.0010-FF58P-bundle-v1175.vidyo file.
  5. Click Upgrade and Reboot on the Maintenance page. 
    The system will reboot after uploading the update package.
  6. See Contacting Technical Support below for more information about getting assistance.
  7. Repeat steps 1 through 6 for each Vidyo WebRTC Server with the system.
  8. Test that each Vidyo WebRTC Server is functional.

The update process can take several minutes (allow 5 to 15 minutes for the process to complete once the server has stated it is restarting). You will not be able to access the system via the browser during the update process. After 15 minutes, you may manually refresh your browser to again access to the Vidyo WebRTC Server.

Attachments:

Was this article helpful?
1 out of 1 found this helpful

Comments

0 comments

Please sign in to leave a comment.