< Back to Knowledge Base

CERT Vulnerability CVE-2015-2864

Resources


CVE-2015-2864 affects all environments with password-protected clients, including Retrospect 8 for Mac and Retrospect 7 for Windows. Retrospect has included a security update to address this issue in the following versions:

  • Retrospect 10.0.2 for Windows

  • Retrospect Client 10.0.2 for Windows

  • Retrospect 12.0.2 for Mac

  • Retrospect Client 12.0.2 for Mac

  • Retrospect Client 10.0.2 for Linux

We strongly advise customers to address this issue if it affects their environments:

Customers using clients with public/private keypairs — This issue does not affect environments using public/private keypairs where the client has never had a password set up. If the client has used a password, see steps below to remove it.

Customers using clients with password protection — This issue is a security risk for your environment. There are two ways to address it:

See Technical Details for more information.

Updating to the latest versions of Retrospect

The latest versions of Retrospect are available from Downloads. These include a security update to address the CERT vulnerability.

  1. Download the latest version of Retrospect and update the Retrospect Engine and all Retrospect Clients.

  2. Update each client’s password. See Retrospect for Mac documentation and Retrospect for Windows documentation for specific steps. This can be the same password that they already have. This process is necessary to remove the security issue, by replacing the affected password hash with a new unaffected one.

Switching to keypairs within your current environment

Public/private keypairs allow Retrospect Client to automatically authenticate with the Retrospect Engine without the need for a password. Switching to public/private keypairs ensures your clients are not exposed to this risk, and you can set them up without upgrading to the latest version of Retrospect. Our User’s Guide walks through how to set these up.

Retrospect for Windows

  1. See Retrospect for Windows documentation for instructions on creating public/private keypairs from Preferences.

    Win rug 388

  2. Add the public key to each client. See documentation for re-installation instructions.

  3. In Clients, remove the client and re-add it again to start using the public/private keypair. You will need to re-add the clients to their respective scripts.

  4. You can verify the authentication method by looking at Clients > Properties > Tools. It should list "Security: uses private/public key".

Retrospect Desktop for Windows — Public/private keypairs are not officially supported in the Desktop edition of Retrospect for Windows. However, you can take steps to use them in your current environment. Please contact Support for more information.

Retrospect for Mac

  1. Create a public/private keypair. See documentation for instructions for doing so in Preferences.

    Preferences clients.en

  2. Add the public key to each client. See documentation for re-installation instructions.

  3. In Sources, remove the client and then re-add it again to start using the public/private keypair. You will need to re-add the clients to their respective scripts.

  4. You can verify the authentication method by looking at Sources > Summary. It should list "Security: Public/Private Key".

Public key locations in Retrospect Clients

  • Windows XP — Place the public key at C:\Program Files\Retrospect\Retrospect Client\pubkey.dat.

  • Windows Vista, 7, 8 — Place the public key at C:\Program Files (x86)\Retrospect\Retrospect Client\pubkey.dat.

  • Mac OS X 10.6 - 10.10 (prior to v12.0.2) — Place the public key at
    /Library/PreferencePanes/Retrospect Client.prefPane/Contents/SharedSupport/pubkey.dat.

  • Mac OS X 10.6 - 10.10 (12.0.2) — Place the public key at /Library/Preferences/pubkey.dat.

  • Linux — Linux client releases prior to 10.0.2 do not support public/private keypairs. Please contact <a href="/en/support/phone">Support</a> if you are running a Linux client prior to 10.0.2.

Technical Details

Retrospect Client does not store the password you type in. Instead, it stores a computational hash of it and uses that hash to authenticate with the Retrospect Engine. The hash is generated by an algorithm designed to prevent others from being able to guess the original password or pick a different password that generates the same hash. However, a bug in the algorithm significantly increases the likelihood of a different password matching the original password’s hash. A sophisticated individual with a significant amount of technical expertise and network access to this Retrospect Client could use this bug to gain access to the Retrospect Client and the computer it runs on from a different Retrospect Engine.


Last Update: June 15, 2015