LogonBox 2.3.10 Released

admin

Identity Manager 2.3.10 Security Update

We have discovered a vulnerability in our Credential Provider implementation that requires an immediate patch. After further testing the provider, we found that a logged off user with some system knowledge can execute privileged commands from the login prompt.

This version affects server version 2.3.0 through to and including 2.3.9 when used with Credential Provider builds 3.0 and 4.0.

We have fixed this issue with an update to the Credential Provider, which stands at version 4.1 and is already available via the download link within the affected versions and this latest update. You can also download the patched clients directly from the URLs provided at the end of this email.

There is also a new 2.3.10 release that can mitigate the problem in most circumstances without installing updated Credential Providers. We recommend this as the first course of action. By installing our 2.3.10 update, your systems, including earlier credential providers, will not be susceptible. However, if you are using Duo or another authentication mechanism that redirects to an external third-party authentication system, you must upgrade the Credential Provider to resolve the issue.

Most of our public cloud customers are unaffected by this issue because most cloud tenants are still on the earlier 2.2 release. A few newer cloud customers will be affected, and our support team will reach out to you to arrange the upgrade of the tenant. Cloud customers on a 2.3 release can deploy the updated Credential Provider to mitigate the issue before the tenant upgrade.
If you have any concerns about this issue or would like to discuss it further, don't hesitate to contact us at support@logonbox.com.

Updated credential providers are at:
https://logonbox-desktop.s3.eu-west-1.amazonaws.com/4.1/LogonBox+Credential+Provider.exe

https://logonbox-desktop.s3.eu-west-1.amazonaws.com/4.1/LogonBox+Credential+Provider.msi


Changes in 2.3.10

Features:

  • The default behaviour of the menu has changed. This menu is now pinned open by default, making it easier for users to understand this menu exists on their account.
  • Added a Synchronise Profile option in the options menu on the Users page to force the system to recheck a user's profile complete status. This option also exists as a Force Sync link when you expand a user.
  • Expanding a user with the + button on the Users page now shows more information on a user's profile completion status, along with the complete/incomplete state of all assigned authentication modules.
  • The Users page has two new filters added. You can now filter users by 'Users not logged on in the last 30 days' and 'Users who have never logged on'.


Bugs:

  • The system should now prompt for all missing information for every authentication module a user has access to when they log on to My Account.
  • Changed how user properties are handled on a synchronise to resolve performance issues on a reconcile.
  • User delegations now work with nested groups on a sub-realm
    When a user session times out whilst the left menu is pinned open, it no longer displays over the portal page.
  • When a user session times out, the menu still works without having to refresh the page.
  • Azure Include/Exclude group filters now work regardless of the Pre-load option value.
  • When using an Automation to perform a Generate Audit CSV task, choosing Last Week or Last Month options no longer results in an error.
  • Invalid OTP entry results in an invalid credentials event rather than an invalid principal name in the Audit Log.
  • Duo authenticator now works as expected on Windows Desktop login.

 

Thanks,
The LogonBox team.