The SAS/CONNECT spawner might be flagged by security vulnerability scanners as being vulnerable due to using an unencrypted Telnet server. By default, the SAS/CONNECT spawner does not use Telnet services. However, if you start the SAS/CONNECT spawner without specifying the -NOCLEARTEXT parameter, then client applications are able to use Telnet services to connect to the spawner's -service TCP_port.

Workarounds

Choose the workaround that is appropriate for your spawner's configuration:

• For a SAS/CONNECT spawner that is part of a SAS^® Foundation configuration, add the -NOCLEARTEXT spawner parameter to the spawner start-up process. Then, stop and restart the SAS/CONNECT spawner. For details, refer to the "Options for Starting and Managing the SAS/CONNECT Spawner" section of Communications Access Methods for SAS/CONNECT^® 9.4 and SAS/SHARE^® 9.4, Second Edition.
• For a SAS/CONNECT spawner that is configured as part of a SAS^® Metadata Server environment, choose one of the workarounds below. Once you have implemented the workaround, either stop or restart the SAS/CONNECT spawner or refresh the SAS/CONNECT spawner from SAS^® Management Console.
   
  • For UNIX and z/OS hosts, add the following to SAS-configuration-directory/LevX/ConnectSpawner_usermods.sh:

USERMODS_OPTIONS=-NOCLEARTEXT

• • For Windows hosts, add the following to SAS-configuration-directory\LevX\ConnectSpawner_usermods.bat:

set USERMODS_OPTIONS=-NOCLEARTEXT

After the SAS/CONNECT Spawner is started with the -NOCLEARTEXT parameter, any Telnet clients trying to connect will fail with the following message, after authentication:

"Client connection xxxxxxx communicating without encryption but connections from clients that do not support encryption are not allowed.
Connection to host lost."

The SAS/CONNECT spawner will still be flagged by the security scanner because the SAS/CONNECT Spawner checks authentication before checking encryption capabilities. If you receive the above message when testing a Telnet connection to the SAS/CONNECT spawner's -SERVICE port, the security scan is a false positive and can be ignored.

Note: Refer to the above documentation for additional steps for handling a Windows service (stop service, remove service, install service and start service) after making these changes.

Beginning in SAS^® 9.4 TS1M5, -NOCLEARTEXT will be the default setting and will no longer need to be added manually. Also, no false positives will be seen due to the connection being broken before credentials are checked.