NIAP: Assurance Continuity
NIAP/CCEVS
  NIAP  »»  Product Compliant List  »»  Product Entry  »»  Assurance Continuity  
Assurance Continuity - Maintenance Update of AhnLab MDS, MDS with MTA, and MDS Manager V2.1

Date of Maintenance Completion:  2018.04.30

Product Type:    Network Device

Conformance Claim:  Protection Profile Compliant

PP Identifier:    collaborative Protection Profile for Network Devices Version 1.0

Original Evaluated TOE:  2017.05.08 - AhnLab MDS, MDS with MTA, and MDS Manager v2.1

CC Certificate [PDF] Validation Report [PDF] Assurance Activity [PDF]

Administrative Guide [PDF]

Please note:  The above files are for the Original Evaluated TOE.  Consequently, they do not refer to this maintained version, although they apply to the maintained version. 

Security Target [PDF] * Assurance Continuity Maintenance Report [PDF] Administrative Guidance [PDF]

Please note:  This serves as an addendum to the VR for the Original Evaluated TOE. 

* This is the Security Target (ST) associated with the latest Maintenance Release.  To view previous STs for this TOE, click here.

Readers are reminded that the certification of this product (TOE) is the result of maintenance, rather than an actual re-evaluation of the product.  Maintenance only considers the affect of TOE changes on the assurance baseline (i.e. the original evaluated TOE); maintenance is not intended to provide assurance in regard to the resistance of the TOE to new vulnerabilities or attack methods discovered since the date of the initial certificate.  Such assurance can only be gained through re-evaluation. 

Using a security impact analysis of the changes made to the TOE, which was provided by the developer, the CCEVS has determined that the impact of changes on the TOE are considered minor and that independent evaluator analysis was not necessary.  A summary of the results can be found in the Maintenance Report, which is written in relation to the product's original validation report and Security Target.  Readers are therefore reminded to read the Security Target, Validation Report, and the Assurance Maintenance Report to fully understand the meaning of what a maintained certificate represents. 

Product Description

For this Assurance Continuity, the following firmware version updates were released:

·         The Data Viewer software was updated affecting all of the TOE components.

·         Two new equivalent appliance models were been added to the evaluation.

·         Gentoo Linux was updated, affecting the MDS Manager for mitigating the Spectre/Meltdown vulnerabilities.

·         Linux Kernel was updated, affecting the MDS and MDS/MTA, and MDS Manager for mitigating the Spectre/Meltdown vulnerabilities.

In addition, two new TOE appliance models:

Device

Main Processor

Storage

Network Ports

Operating System

MDS Manager  5000AR

Intel Xeon Quad Core

HDD: 1TB*2ea,  2TB*2ea

Main: 32GB

1G Ports(Copper) 2ea

3.14.48-gentoo

(kernel 4.16.4)

MDS Manager  10000AR

Intel Xeon 6 Core

HDD: 2TB*2ea,  4TB*2ea

Main: 64GB

1G Ports(Copper) 2ea

3.14.48-gentoo

(kernel 4.16.4)

 

In order to support the addition of the new appliances, and mitigating newly found vulnerabilities, the TOE’s firmware was upgraded and included various changes and third party updates.

The Data Viewer software version 2.1.8.26 was updated to software version 2.1.8.29.  This software change affected all of the products that comprise the TOE.

The third party updates were necessary to mitigate vulnerabilities since the last IAR submission including the Spectre/Meltdown vulnerabilities.   The Data Viewer 2.1.8.29 update did not introduce any new product features or bug fixes.

 

From

To

OpenSSL 1.0.2k

OpenSSL 1.0.2n

OpenSSH 7.5p1

OpenSSH 7.6p1

Nginx 1.11.1

Nginx 1.13.7

PostgreSQL  9.6.2

PostgreSQL  9.6.6

Linux 3.14.18

Linux 4.16.4

3.8.13-gentoo

3.14.48-gentoo

(kernel 4.16.4)

 

Vulnerabilities were identified in the MDS Manager 3.8.13-gentoo Linux.   The vulnerabilities, including the Spectre/Meltdown vulnerabilities were mitigated by updating MDS Manager operating system to 3.14.48-gentoo (kernel 4.16.4) Linux. 

The Spectre/Meltdown vulnerabilities were identified in Linux 3.14.18, affecting the MDS and MDS with MTA appliances.   The vulnerabilities were mitigated by updating the MDS and MDS/MTA Linux kernel to version 4.16.4.

The AhnLab MDS ACM v1.0 (Firmware) was not affected by the third party software updates, including the update to Linux kernel 4.16.4.   The TOE updates of the OpenSSL 1.0.2n and OpenSSH 7.6p1did not affect the CAVP certifications since the AhnLab Cryptographic Module (ACM) binary was not been modified.

 

In addition, to also address Spectre/Meltdown, AhnLab provided guidance for obtaining a BIOS microcode patch released by the Dell hardware manufacturer for MDS/MDS with MTA 4000, 8000, 10000, and MDS Manger 5000AR, 10000AR.   Updates for the other Ahnlab devices will be made available when Dell has provided the patch.  AhnLab will update the products as soon as the BIOS updates are made available by Dell. 

None of the software updates affected the security functionality or the SFRs identified in the Security Target and are considered to be minor changes.

Changes to Evaluation Documents:

·         ST: modified to include updated list newly added hardware appliances and to update the listing of software version;

·         Common Criteria Compliance Guide: updated the list of TOE Hardware Models to include the newly added hardware appliances. 

Regression Testing:

Regression testing was performed for the Data Viewer 2.1.8.29 update that mitigates the Spectre/Meltdown vulnerabilities.   Testing included normal operation such as booting up, as well as an administrator connecting to The TOE via TLS GUI and SSH, to verify correct operation.   Testing was done to verify the security functionality identified in the Security Target as well as the core functions provided by MDS, MDS with MTA, and MDS Manager.

Various test cases were sampled, described in updated test evidence, and validated with the current (revised) version of the firmware on the additional MDS Manager devices.   Test results were found consistent with the previous test results.

Testing was also performed on the two new MDS Manager devices.   The testing verified that the two new MDS Manager devices and Data Viewer software generated the correct results and did not affect the security functionality defined in the Security Target.

The same version of the Data Viewer software was implemented on all TOE devices including the MDS, MDS with MTA, and the MDS Manager.  Since testing verified the correct operation on the MDS Manager, the same software will produce equivalent results on all of the TOE devices.

Vulnerability Analysis:

The vendor conducted analysis searching for any new vulnerabilities that may have been identified since the evaluation completed. The firmware update was made to address newly discovered vulnerabilities but no security functionality was affected.

The CAVP certificates for the AhnLab MDS ACM, Version 1.0 crypto module were also verified to be current and active.

Vendor Information

Logo
AhnLab
David Eung-Soo, Kim
+82 32 722 7872
+82 32 722 8901
eungsoo.kim@ahnlab.com

http://global.ahnlab.com/site/product/productSubDetail.do?prodSeq=15231
Site Map              Contact Us              Home