Customer Support Advisories

Absolute is actively responding to the reported remote code execution vulnerability in the Apache Log4j2 Java library dubbed Log4Shell (or LogJam). We have investigated and taken action for the Absolute Visibility, Control and Resilience products that utilize Log4j2. No other Absolute or NetMotion products are impacted.

Products Not Impacted

All versions of NetMotion Mobility, NetMotion Mobile IQ, and NetMotion Diagnostics, including those recently sold under the names NetMotion Core or NetMotion Complete are not subject to any of these vulnerabilities.

Products Remediated

Absolute’s services in its Canadian, US, and EU Data Centers that deliver the affected Visibility, Control, and Resilience products have been updated to use the latest version (2.17.0) of Log4j2. This version includes fixes for CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105. We have also deployed firewall configurations to prevent these bugs or other similar bugs from being triggered and enhanced our monitoring for these and similar attacks.

We continue to closely monitor the Apache Software Foundation’s response to log4J2 vulnerabilities and will take further steps as needed.

We also realize that supply chains are a critical component in addressing vulnerabilities. Absolute’s operational teams have been monitoring and contacting all 3rd party SaaS vendors we work with and ensuring they address any exposure they might have. 

For additional technical information and further updates, please visit the Absolute Community. 

Appendix – Overview of CVEs

April 22,2021: To assist customers in their long-range planning, NetMotion Software is providing advanced notification of our plan to discontinue development for all clients supporting Microsoft Windows version 8.1, Apple iOS version 12, and Apple macOS version 10.14. After April 1, 2022, we will no longer provide new features or patches for clients running on these platforms. 

Technical support will continue to be available to all customers with current maintenance agreements for all versions of our products running on Windows 8.1, iOS 12 and macOS 10.14 through the end-of-life of the applicable NetMotion product version.

For further information or if you need to speak with our sales and technical support representatives, visit our website at www.netmotionsoftware.com or call (206) 691-5555.

Summary:

On November 19, 2020, NetMotion alerted customers to security vulnerabilities in the Mobility web server and released updates for Mobility v11.x and v12.x to address them.

The CVSS 3.1 base score for these vulnerabilities is 8.1 (High)

The vulnerabilities were fixed in versions Mobility v11.73 and v12.02, which were released on November 19, 2020. Customers should upgrade immediately to these or later versions. 

Download the updated versions of Mobility servers from the NetMotion customer portal, or contact support for assistance. Consult the Mobility v11.73 and v12.02 or later documentation for guidance on securely configuring your Mobility deployment. 

In addition, customers should verify that their Mobility servers are behind a commercial firewall and that only the VPN port is exposed to untrusted networks. The default port for the VPN is UDP 5008.  If you have changed the default VPN port, ensure that only the VPN port is exposed.  

Details

Prior to Mobility v11.73 and v12.02, attackers with access to the Mobility web server, which hosts the Mobility management console and some inter-server communications processes, could exploit Java deserialization vulnerabilities. Successful exploitation results in remote code execution with system privileges without prior authentication. Customers who have followed NetMotion’s recommendations for secure deployment are only vulnerable to this attack from inside their protected network where the Mobility web server is deployed. 

Mobility v11.73 and v12.02 fixed these vulnerabilities and mitigated future exploitation of this class of attack by implementing a safe Java object reader and cryptographic validation of input prior to deserialization where appropriate.

NetMotion thanks SSD Disclosure for their professionalism in bringing these vulnerabilities to our attention, working with us under the principles of responsible disclosure, and ensuring that our customers had an opportunity to update their systems prior to releasing any details.

For more details on these vulnerabilities, visit SSD Disclosure. https://ssd-disclosure.com/ssd-advisory-netmotion-mobility-server-multiple-deserialization-of-untrusted-data-lead-to-rce/

CVE-2021-26912

CVE-2021-26913

CVE-2021-26914

CVE-2021-26915

CVSS 3.1 Vector String: 

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

For more information, please contact securityresponse@netmotionsoftware.com

NetMotion Software is providing customers with advance notice of the end of life (EOL) for the following:

• NetMotion Mobility v10.x servers and clients
• NetMotion Mobile IQ v1.x server
• NetMotion Diagnostics v4.x 
• NetMotion Mobility Analytics module

Customers running Mobility v10.x or Mobile IQ v1.x should plan to migrate to the latest versions. We will no longer provide support for Mobility v10.x or Mobile IQ v1.x after September 1, 2021.

Customers running NetMotion Diagnostics should contact their account manager for assistance migrating to the new NetMotion platform, which includes Diagnostics functionality. We will no longer support the Diagnostics product after September 1, 2021.  

Analytics Module functionality (alerting, data storage, and data visualization) is part of the new NetMotion platform. Customers running the Mobility v11.x Analytics module will receive operational and configuration support for the service life of Mobility 11, but we will not provide software updates or patches for the Mobility Analytics module after September 1, 2021. 

For a current list of supported operating systems and versions, review the Supported Operating Systems page.

The Microsoft Windows 10 ‘Spring Update’ is expected to adversely impact the Mobility Single Sign-on (SSO) feature for Windows 10 clients. In anticipation of the Windows 10 Spring Update, NetMotion is releasing the Mobility 11.71 Windows client to ensure that SSO works properly after applying the Windows 10 Spring Update.

NetMotion recommends that administrators test and deploy the Mobility 11.71 client to their Windows 10 systems prior to installing the Windows 10 Spring Update to ensure that SSO continues to work as expected after the Spring Update is installed.

On January 28, 2020 Apple released iOS update 13.3.1. New restrictions introduced in the update adversely affect the biometric support introduced in Mobility version 11.50. NetMotion is releasing Mobility 11.72 for iOS—disabling biometric support as a temporary fix to prevent users from experiencing connectivity problems until Apple resolves the issue or a workaround can be implemented. Note: 11.72 for iOS is narrowly targeted at iOS biometric support. It does not change VPN authentication.

As an administrator, you have two options depending on whether you want to upgrade to the latest version of iOS, or if you want to maintain biometric support.

• If you want to continue to use iOS biometrics on your clients, you must not upgrade these devices to iOS 13.3.1. Additionally, you must not install the Mobility 11.72 iOS client, which disables support for iOS biometrics to prevent connectivity problems.
• If you must upgrade your devices to iOS 13.3.1, or you cannot control how users upgrade their devices, then NetMotion recommends that you disable the Mobility setting “Authentication – Biometrics” and install the Mobility 11.72 iOS client prior to upgrading to iOS 13.3.1.

Users with Mobility devices already running iOS 13.3.1 that are also configured for biometrics (Touch ID or Face ID) via the Mobility setting “Authentication – Biometrics” may receive a notice that “Biometric authentication is required for connection [Reason 150]”; in this case the client will not connect to the Mobility server. The only way to connect after experiencing this error is to do one of the following

• Upgrade the client to Mobility 11.72
• Change the global client setting  “Authentication – Biometrics” in the Mobility console (Configure > Client Settings) to “Do not use biometrics” and create a new VPN Profile on the client, either in the Mobility client interface or by pushing a new profile to a client using a Mobile Device Management (MDM) system. 

NetMotion has reported the problem to Apple, we are awaiting a fix in a future version of iOS and will advise our customers when this issue is resolved.

On January 14, 2020 Microsoft and the NSA released information regarding vulnerabilities in Microsoft cryptographic libraries that are part of Windows 10, Windows Server 2016, and Windows Server 2019.

In the advisory, the NSA describes how cryptographic libraries in Windows operating systems could be fooled into believing that cryptographically signed data is genuine when it is not. In particular, the NSA called out “HTTPS connections, signed files and emails, and signed executable code” as possible vectors for attack. These vulnerabilities have been patched by Microsoft in the January 14, 2020 Security Update.  The NSA and Microsoft strongly recommend that administrators of vulnerable systems rapidly test and deploy the January 14 patches.

NetMotion products are not directly affected by these vulnerabilities. NetMotion has tested the Microsoft security updates on the affected Windows operating systems and found no compatibility issues. We strongly encourage administrators of NetMotion products to test and deploy the latest Microsoft security updates to all systems running on Windows 10, Windows Server 2016 and Windows Server 2019.

Please contact support if you have any further questions.

With the releases of Android 10, some NetMotion capabilities may be affected. We are working hard to release compatible NetMotion clients. Learn more about NetMotion compatibility with Android 10 here.

To assist customers in their long-range planning, NetMotion Software is providing advanced notification that we will discontinue support for Microsoft Windows 7 on January 14, 2020. 

Microsoft previously announced that after January 14, 2020, they will no longer offer technical support, software updates, or security updates for Windows 7. While Windows 7 will continue to work, it will become progressively less secure. Customers who continue using Windows 7 after January of 2020 do so at their own risk. As a reminder, Microsoft’s Mainstream Support program for Windows 7 ended in January 2015.

Beginning in January 2020, NetMotion will only release new features and fixes for Windows clients running Windows 8.1 or Windows 10. Customers will be required to upgrade their client to a supported operating system to receive new features and bug fixes. 

NetMotion currently supports Windows 7 clients on Mobility version 10.0 through version 11.7x. 

To assist customers in their long-range planning, NetMotion Software is providing advanced notification of our plan to discontinue development for Microsoft Windows Server 2012 R2 for Mobility and Diagnostics.

After each product’s next major release, all new features and remediation of defects will only be available on the Microsoft Server 2016 and Server 2019 platforms. Customers encountering defects on previous versions of Microsoft’s server operating systems may be required to upgrade in order to resolve the issue. The next major release of Diagnostics, planned for release in Q3 2019, and of Mobility, planned in 2020, will be the final NetMotion releases to support Server 2012 R2. As a reminder, Microsoft’s Mainstream Support program for Server 2012 R2 ended in October of 2018.

Technical support will continue to be available to all customers under maintenance for all versions of our products running on Server 2012 R2 through the end-of-life of that version (typically three years after the release date).

For further information or if you need to speak with our sales and technical support representatives, visit our website at www.netmotionsoftware.com or call (206) 691-5555.

On systems running macOS 10.14.4, Mobility clients can terminate and restart when roaming between networks (for example: wired to wireless network, different wireless networks, LAN to WAN, and so on). The Mobility client mitigates this by automatically reconnecting (if configured), but you may notice a service interruption while roaming. This issue does not occur on macOS 10.14.3 and earlier and is fixed in macOS 10.15.x (Catalina). Please contact support for more information.

Upgrading to the Windows 10 Fall 2018 release requires that you also upgrade to the Mobility v11.43 client. Microsoft is releasing their Fall update to Windows 10 (v1809). The Mobility v11.43 client for Windows fixes compatibility issues with the Windows 10 network location awareness (NLA) feature in Windows 10 v1809. Without the updated Mobility client, any application that uses this feature will malfunction, including the Edge browser and many Windows system apps. Windows 10 devices running Microsoft’s fall release must install Mobility v11.43 to avoid these issues. See Known and Resolved Issues for details.

Failure to upgrade to the Mobility v11.43 client when running Windows 10 Fall 2018 release will result in elevated CPU utilization associated with NLA, and malfunctions in the Windows Edge browser and other apps which rely on NLA to function.

Summary: As is true of many other software companies, NetMotion has discovered all current versions of the Mobility client are incompatible with some upcoming updates to Windows. Though not part of the initial Spectre and Meltdown updates, when these Windows updates are applied, systems running any Mobility client for Windows prior to 11.32 will not operate as expected. You MUST upgrade to Mobility v11.32 before applying them. Do not delay.

Advisory: Current versions of Mobility are fully compatible with the initial round of Microsoft’s Spectre and Meltdown updates. We expect that Microsoft will release more patches addressing these vulnerabilities; we will keep you informed as to whether they will affect your NetMotion deployment. In the wake of the initial round of patches, we learned that Microsoft’s Windows 10 Spring release is incompatible with all current versions of the Mobility client. In the past, the Spring release has been available in the March timeframe but with the current situation involving Spectre and Meltdown, we cannot be sure these releases will not happen sooner. We expect the updates to Windows 8 and 7 will also be incompatible. We are releasing v11.32 clients for all Windows platforms to address the incompatibility.

If you apply the upcoming Windows update, systems running any Mobility client for Windows prior to 11.32 will not operate as expected. Because we don’t know precisely when Microsoft will release the updates, you must upgrade your Windows systems to Mobility v11.32 as soon as possible. Do not delay.

• NetMotion customers with current maintenance or subscription contracts can download the updated clients from our software download portal.
• If you are running Mobility 10.51 or greater on both client and server, you can upgrade your clients hands free with our easy to use over-the-air update feature. Click here to learn more.

Frequently Asked Questions

Q: Does this issue have anything to do with the Spectre and Meltdown vulnerabilities?
A: Shipping Mobility clients are fully compatible with the Microsoft updates published on January 3, 2018 and January 9, 2018, in response to the Spectre and Meltdown vulnerabilities. Microsoft has not made public their motivation for the changes causing the incompatibility with Mobility clients.

Q: Will these new clients work with my existing server?
A: These clients are compatible with all currently supported Mobility servers (Mobility v10x and v11x). There is no need to upgrade your server to run the 11.32 clients.

Q: How did you discover the incompatibility?
A: We participate in the Windows Insider program, and we noticed the issue in a preview build.

Q: What are the KB article numbers for the updates you are concerned about?
A: Microsoft has not released the KB numbers yet.

Q: When will Microsoft release their update?
A: Changes like this are usually available in the Spring and Fall releases, but given all the other work being done in response to Spectre and Meltdown we can’t be sure of the timing. That’s why it’s urgent to prepare now.

Q: Which client operating systems are affected?
A: We have released new clients for Windows 10, Windows 8, and Windows 7.

Q: How do I get the updated clients?
A: The v11.32 clients are available on the NetMotion software download portal.

Q: What if I no longer have a current maintenance contract?
A: Contact us via email or phone and we’ll work with you to get the updated clients.

Q: Does this affect the iOS, macOS and Android clients, or the Mobility server?
A: Our release is only for Windows clients.

Q: Do you have any advice on how to deploy the new clients?
A: In Mobility 10.51 we added an easy to use over-the-air update feature. If your Mobility server and clients are at version 10.51 or greater, review the help to craft an upgrade deployment that suits your needs.

Q: Is there anything else I can do to mitigate this situation?
A: We recommend that you thoroughly test all changes to your production environment before pushing them live.

Q: What if I still have questions?
A: If there’s something we haven’t answered here, please contact our support team: Click here to submit a request online, else give us a call at (888) 723-2662.

There is a known issue where authentication fails on Microsoft’s NPS RADIUS server after installing patch KB4034681, KB4025335 or KB4034663. Please contact your NetMotion account manager for additional information.

After June 30, 2017, Diagnostics servers prior to v4.10 may not correctly display coverage maps, device maps, and client report mini-maps. Earlier Diagnostics server versions will continue to collect and store location data and display reports, but due to changes with Microsoft Bing Maps, maps may not display properly after June 30, 2017.

If you encounter problems where maps do not display after that date, upgrade to Diagnostics v4.10. Technical Support can assist customers who want to upgrade their Diagnostics systems. For assistance planning your upgrade, or for any further questions, please contact us.

After December 31, 2017, NetMotion Software will no longer provide support for Diagnostics v2.x servers and clients. Customers running Diagnostics 2.x systems should upgrade to Diagnostics v4.10 or later. For a current list of supported operating systems and versions, see the Supported Operating Systems page.

For further information or if you need to speak with our sales and tech support representatives, please contact us.

Effective March 2017, NetMotion Software has stopped developing and testing its software products on the following platforms:

• Microsoft Windows Server 2008 R2
• Microsoft Windows Server 2012 (Windows Server 2012 R2 continues to be supported)
• Apple iOS v9.x
• Google Android v4.0 through 4.3

NetMotion products that support these operating systems continue to be supported until the product’s published end-of-life, but maintenance releases, feature releases, and major versions of NetMotion Software will not support them.

• Customers with a current maintenance agreement will continue to receive full support for NetMotion products until the product version they are running has reached end-of-life.
• We encourage customers running our solutions on any of these operating systems to upgrade.
• Technical Support can assist customers who want to upgrade to a newer, supported operating system. For assistance planning your migration, or for any further questions, please contact us.

NetMotion Software is providing customers with advance notice of the end of life (EOL) for the following:

• Mobility XE 9.x servers
• Mobility XE 9.x clients for Microsoft Windows 7

Note: EOL for Windows Vista and Windows XP was announced in 2014. NetMotion Software recommends that customers running Mobility 9.x begin to plan their migration to the latest version of Mobility. We will no longer provide support v9.x servers and the Windows 7 client after January 1, 2018.

For a current list of supported operating systems and versions, review the Supported Operating Systems page.

On October 3, 2016, Microsoft released updates to Windows Defender, its anti-malware product for Windows 8.x and 10. The updated version of Windows Defender is incompatible with Mobility v10.7x and v11 clients.

As a result, Windows Defender cannot properly update its malware signatures. NetMotion has released new versions of the affected Mobility clients, resolving the incompatibility. Customers who are running Windows Defender should update to the latest version of Mobility of Mobility 10.7x or 11.0x.

Mobility 10.72 for iPhone and iPad is supported on both iOS 9 and 10. Administrators should upgrade to Mobility 10.72 before October 10, 2016, as this is when NetMotion plans to release Mobility 11 for iPhone and iPad, which supports only iOS 10 and later; most upgrades from Mobility 10.72 to Mobility 11 are expected to be trouble-free.

Administrators should be aware of important issues surrounding licensing, certificate handling, and support for iOS 9 that may arise with the release of Mobility 11, and take appropriate steps to prepare for the transition. Full details of the issues and procedures for managing the upgrade process are described here.

Mobility users running OS X v10.11 must recreate their configuration profiles after upgrading to Mobility 11.02. See MOB-8671 in Known and Resolved Issues.

January 19, 2016: This issue is resolved in the Mobility 10.72 client for Windows 10, released January 19, 2016.

The Mobility 10.72 clients are immediately available on our download site and through the NetMotion deployment server. Administrators are encouraged to upgrade their Windows 10 Mobility clients and then install the Microsoft update as soon as is practical. On January 12, 2016, Microsoft released a cumulative update to Windows 10 that prevents users running Mobility from logging on to the Windows desktop. NetMotion has identified the problem and is in the process of implementing a solution. Until a fix is available, the two options for addressing the issue are to uninstall the update or uninstall Mobility. Administrators with Windows 10 devices can stop the installation of the patch by excluding the following packages from their regular system updates:

• Security Update for Microsoft Windows (KB3124263)
• Security Update for Microsoft Windows (KB3124266)

If the Windows 10 update has been installed unintentionally, Administrators can uninstall it by following these steps:

1. Start the machine in Safe Mode.
2. Go to Add/Remove Programs > View Installed Updates.
3. Uninstall the following packages:
   • Security Update for Microsoft Windows (KB3124266)
   • Security Update for Microsoft Windows (KB3124263)
4. Reboot the machine.

A new Mobility client (v10.71) that supports iOS 9 is available on the Apple App Store. Apple device users should update their Mobility client to v10.71 before they upgrade to iOS 9 to ensure uninterrupted access. This newest version of Mobility also supports devices running iOS 7.1 and above. Mobility client versions prior to 10.71 are not supported on iOS 9.

It is not necessary to update the Mobility server to run this client.

The Mobility Windows 7 client does not run on Windows 10. Upgrading directly from Windows 7 to Windows 10 with Mobility installed is not supported. If you choose to upgrade any of your Windows 7 devices, please uninstall the Windows 7 client, upgrade the operating system, and then install the Mobility 10.71 beta client for Windows 10.

By the end of 2015, NetMotion Software will stop developing and testing the Mobility and Diagnostics servers for Microsoft Windows Server 2008 R2. Solutions shipped with support for Windows Server 2008 R2 will continue to be supported, but maintenance releases, feature releases, and major versions of NetMotion Mobility and Diagnostics server software will not be released for Windows Server 2008 R2 after 2015.

Customers running a NetMotion server on Windows Server 2008 R2 who have a current maintenance agreement will continue to receive full support until the product version they are running has reached end-of-life. We encourage customers running our solutions on Windows Server 2008 R2 to make plans for upgrading their platform as soon as reasonably possible.

Technical Support can assist customers who want to upgrade their current Windows Server 2008 R2 deployment to a newer supported Microsoft server operating system. For assistance planning your migration, or for any further questions, please reach out to your account manager.

Summary: On March 10, 2015, Microsoft released a security bulletin describing a vulnerability in Windows and a patch to remedy the vulnerability. Since then, there have been many reports in the media describing conflicts between that patch and other security products. Mobility customers should exercise caution when applying Microsoft’s fix to their authentication server if both of the following are true:

• You are running on a Windows 2003 domain controller; and,
• You are configured for NTLM Authentication to that Windows 2003 domain controller.

Applying Microsoft’s fix will keep Mobility client v10.52 or below from properly authenticating. This issue has no impact on the operation of the Mobility server, just client authentication. No other Mobility components are affected by this conflict. Mobility deployments configured to use other RADIUS servers, or RSA authentication are not affected by this bulletin.

What to Do: There are three basic ways to mitigate the impact of Mobility client and the Microsoft patch.

1. Do not install the MS15-027 patch from Microsoft on your Windows Server 2003 authentication server. Alternately, if you’ve already installed the patch, uninstall it.
2. Contact the support team for an approved work around.
3. Upgrade your domain controllers for NTLM authentication to Windows Server 2008, 2008 R2 2012 or 2012 R2. The issues have not been reported on these platforms or appeared in our testing of those platforms.

If you choose not to install the patch from Microsoft at this time, we strongly recommend that you isolate your authentication server on a trusted network.

Review the Microsoft Security Bulletin MS15-027.

Summary: On November 11, 2014, Microsoft released a security bulletin describing a vulnerability in the Microsoft Secure Channel security package in Windows, and a patch to remedy the vulnerability. The patch kept Mobility clients v10.50 and earlier from connecting to Microsoft NPS and IAS authentication servers. A week later, on November 18, Microsoft re-released the patch, rolling back the changes that kept Mobility client v10.50 and below from connecting to NPS and IAS servers. NetMotion has tested the updated MS14-066 patch and found that the original conflict between the patch and the earlier Mobility clients is no longer present. In light of this, we recommend that Mobility administrators:

1. Apply the updated patch according to their standard patching procedures.
2. Continue with their plans to upgrade all clients to the most current version of Mobility in order to take advantage of the latest features and bug fixes.

In mid-October, 2014, multiple media outlets reported a serious vulnerability in the SSL v3.0 encryption protocol (POODLE, CVE-2014-3566). SSL v3.0 is an older and less secure option for encrypting data sent between web servers and browsers still supported by servers and browsers for the purposes of backward compatibility. By exploiting this vulnerability, an attacker can read information encrypted with this protocol.

Mobility is not vulnerable to the POODLE attack, neither are communications between Locality agents and the Locality server. Locality relies on Windows to determine what type of cryptography to use for securing connections to the management interface. Since many of Microsoft’s server operating systems are vulnerable, it may be possible for an attacker to read the contents of those browser sessions if all of the other conditions of the attack are met.

Microsoft has published an advisory that addresses the POODLE attack. As a precaution, we recommend that administrators follow Microsoft’s recommendations for disabling the SSL v3.0 encryption algorithm on their Windows server. Doing so will not impair Locality in any way.

As always, we encourage our customers to audit their entire infrastructure to determine if any other components require software updates. Many vendors are already providing patches to vulnerable systems.

On September 24, 2014, multiple media outlets reported a serious vulnerability in the Bash shell, a utility commonly found on Linux, UNIX, and Mac OS devices (CVE-2014-6271). By exploiting this vulnerability, an attacker can take control of a susceptible device.

Neither Mobility nor Locality is vulnerable to this issue since we have never shipped any software that contains the Bash shell. There is no need to patch or update the client or server for any of our products. As always, we encourage our customers to audit their entire infrastructure to determine if any other components require software updates. Many vendors are already providing patches to vulnerable systems.

References

• National Vulnerability Database
• Wikipedia Article: Shellshock Bug

We will release an update to the NetMotion Mobility client that supports iOS 8 soon. NetMotion strongly recommends that all users of the Mobility client for iPhone, iPad and iPod touch remain on iOS 7.1x in order to continue to use their Mobility client, which currently supports only iOS 7.1x. The App Store application on your Apple devices will automatically notify users when the updated Mobility client is available for iOS 8. We will also notify customers via email and on our website.

After March 2012, resolution of the most severe issues in versions of Mobility running on Microsoft Server 2003 will be available on an “as-needed” basis. Review the Knowledge Base for further details on technical support and timelines.

On June 5, 2014, new vulnerabilities were reported in OpenSSL. Exploitation of these vulnerabilities could allow an attacker to decrypt intercepted traffic. Mobility 10.11 and earlier versions are only affected by CVE-2014-0224 when configured to use RADIUS authentication with a vulnerable RADIUS server. The advisory contains details on six vulnerabilities; Mobility is not affected by the other five advisories because it does not use the affected components.

Mobility deployments configured to use NTLMv2, LEAP, or RSA SecurID authentication can safely disregard this advisory.

Details: If an attacker can intercept the authentication session between two vulnerable systems, it is possible to fool the systems into using keys based only on public information. Only if all of the following conditions are true is it possible to decrypt Mobility traffic using this exploit:

• You are using a RADIUS server that is running one of two vulnerable versions of the OpenSSL server library (OpenSSL 1.0.1 and 1.0.2-beta1). Both the client and the RADIUS server must have vulnerable libraries for the exploit to succeed.
• The attacker can intercept all traffic going to and from the Mobility server which requires that the attacker has control of a router on the path between the Mobility server and a Mobility client and can force all Mobility traffic through it.
• The attacker captures the Mobility user authentication sequence and is directly targeting Mobility.

What to Do

• Administrators should contact their RADIUS server vendors to determine if their particular server is affected by this vulnerability and if so, whether a patch is available.
• NetMotion is developing a patch for all affected Mobility clients so that Mobility will block the attack even if the RADIUS server is vulnerable. We will update the user community as soon as updates are available.
• Customers should audit their entire infrastructure to determine if any other components, such as web servers or other systems using OpenSSL, require software updates.
• Temporarily change authentication types to one that is not affected by this vulnerability.

References

• National Vulnerability Database
• RADIUS Vendors Tested by NetMotion Software
  • Microsoft Security Blog: Microsoft has not explicitly addressed CVE-2014-0224 and either NPS or IAS.
  • Cisco’s Advisory
  • Juniper has not explicitly addressed CVE-2014-0224 and Steel Belted Radius.
  • FreeRadius: FreeRadius has not explicitly addressed CVE-2014-0224.

On January 1, 2015, NetMotion will discontinue support for Locality Server 1.x and Locality Agent 1.x. For customers with these products, we offer assistance in migrating to the latest version of Locality. After January 1, 2015, we will continue to offer assistance, but we will no longer test interoperability with newer versions of our products, future operating systems (on client or server platforms), or resolve defects associated with them. Customers running Locality v1.x are highly encouraged to upgrade to the latest software as soon as reasonably possible. For assistance planning your migration, or for any further questions, please contact Technical Support.

On April 7, 2014, multiple media outlets reported a vulnerability in OpenSSL (CVE-2014-0160) related to Heartbeat Extension packets (the “Heartbleed” bug) that can lead to data exploitation. Neither of our products, Mobility or Locality, has ever included a version of the OpenSSL library with this vulnerability. There is no need to patch or update the client or server for any of our products. However, we strongly encourage our customers to audit their entire infrastructure to determine if any other components require software updates, for example:

• Any RADIUS server authenticating via EAP-TLS or PEAP, whether collocated or not.
• An OpenVPN access server.
• Any application collocated with the Mobility server.

According to OpenVPN, the access server accessible from your Mobility console may be vulnerable. We’ve shipped support for two versions:

• V1.6.1 (Not Vulnerable)
• V1.8.4 (Vulnerable)

We have validated the least intrusive fix for v1.8.4 as recommended by OpenVPN. Since the vulnerability is remotely exploitable, we recommend that customers take the OpenVPN Server offline until they have installed the fix. For instructions on patching OpenVPN, please visit the Knowledge Base.

Microsoft is discontinuing support for Windows XP on April 8, 2014. After that, no further updates to Windows XP will be provided to address defects or security vulnerabilities and they will no longer provide technical support.

In light of Microsoft’s decision, on January 1, 2015, NetMotion will discontinue support for the Mobility and Locality clients that run on Windows XP, allowing NetMotion users an extra eight months to complete their migration. Additionally, after that date we will no longer offer support for Mobility clients running on Windows Vista, or for Mobility XE v8.0 to 8.51.

After January 1, 2015, customers with these products may receive assistance with migrating to new versions and platforms, but we will no longer test interoperability with newer versions of our products, future client operating systems, or resolve bugs associated with them.

Mobility v10.10 is fully supported on Android 4.0 – 4.3x, but not Android 4.4.x (Kit Kat). Additionally, we are aware of several bugs in Kit Kat that adversely affect VPN functionality. Google is in the process of fixing them and we will release a Mobility client that is fully Kit Kat-compatible after the bugs have been addressed.

NetMotion customers running Mobility v10.10 and earlier for Android should not update to Kit Kat, even if an update is offered by their carrier. Kit Kat is only supported on Mobility v10.51 and above.

Mobility v10.0 is supported on Windows 8.0, but not on Windows 8.1. For any computers running Windows 8.0 with Mobility installed, do not attempt to upgrade the operating system to version 8.1. The upgrade will fail and (in some cases) reverting to Windows 8.0 will also fail. A Windows 8.1-compatible Mobility client is scheduled for release in Q4 2013.

Customers running Mobility v9.50 and v9.51 and FIPS 140-2 libraries, or NSA Suite B may experience a disconnect from the Mobility server, or a significant delay when installing the most recent Microsoft CNG.sys cryptographic library update.

For instructions on remedying this issue, please visit the Knowledge Base.

In the next release of NetMotion Mobility, the database technology used with the Analytics module will move from Microsoft SQL to MySQL. Installing the Analytics module will now always put the reporting server and reporting database together on the same machine. For detailed information on this change, please visit the Knowledge Base.