Sun Ray Desktop Unit to server communication is not encrypted.

Part of Sun Ray DTU to server communication not encrypted

Associated with IA controls: DCSR-3, DCSR-1, DCSR-2

SV-17135r1_rule Sun Ray Desktop Unit to server communication is not encrypted.

Vulnerability discussion

In earlier versions of Sun Ray Server Software, data packets on the Sun Ray interconnect were sent in the clear or in plaintext. This made it easy to “snoop” the traffic and recover vital and private user information, which malicious users might misuse. To avoid this type of attack, Sun Ray Server Software allows administrators to enable traffic encryption. The encryption algorithm used is the ARCFOUR or RC4. NOTE: Terminal Services for Windows 2000 uses the same RC4 encryption algorithm. RDP traffic is encrypted using 128 bit encryption. The algorithm used for encryption depends on the encryption mode. Windows 2003 is FIPS compliant. In FIPS mode, 3DES and SHA1 are used. In non-FIPS mode, RC4 (encryption) and MD5 (keyed hashing) are used.

Check content

Within the Sun Ray Administration console, perform the following: 1. Select the Advanced Tab. 2. Select the Security Tab. 3. Verify that “Upstream Encryption” and “Downstream Encryption” are checked. 4. If these are not checked, this is a finding.

Fix text

Encrypt Sun Ray traffic to all Desktop Units.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.