Helsinki, Finland -
June 30, 2005
SSH Tectia Server Private Key Permission Vulnerability in Windows
SSH Communications Security >> http://www.ssh.com
======================================================
[SSH Tectia Server Private Key Permission Vulnerability in Windows]
< June 30, 2005 >
======================================================
Vendor reference number: RQ #11775
When SSH Tectia Server in Windows generates a host identification key (the Secure Shell host key), it sets insufficient file permissions. As a result, any user who has been successfully authenticated to the server and can access the local file system, can also access the Windows server's host identification key (the Secure Shell host key) without having administrative privileges.
Furthermore, it is possible that this user makes a copy of the server's host identification key and installs it in a server that can now pretend to be the original server. If the authentication on such server relies solely on passwords, it can potentially be used to collect passwords. This exploit would require also other active attacks against the network since connections to the original server would need to be diverted towards the malicious server.
We are not aware of any existing exploits of this specific vulnerability.
* SSH Secure Shell for Windows Servers (all versions)
* SSH Tectia Server (Windows) 4.3.1 and older versions
Other than Windows versions are NOT affected.
SSH Tectia Server 4.3.2 fixes the vulnerability by changing the private key permissions so that the file is only readable by the owner and system accounts. The permissions of existing private keys are changed during the software update and when new private keys are generated, they have the proper permissions set.
Alternatively, the host key file can be made readable only for the Administrator group. The default location of the secret part of the host key is
C:\Program Files\SSH Communications Security\SSH Secure Shell Server\hostkey
The default location of the file may have been modified in the server configuration.
In both cases, whether the SSH Tectia Server software is updated or permissions are manually updated, we strongly recommend updating all old Windows server keys. The SSH Tectia Server 4.3.2 update does not automatically update the keys. Note that once the server key has been updated, a warning message will appear in clients connecting to the server and manual key hash verification is required.
If you have a valid SSH Tectia Server 4.3.x license file, you can get the update package for this product from
http://www.ssh.com/support/downloads/tectia-server/updates-and-packages-4-3.html
SSH Communications Security apologizes for any inconvenience that this vulnerability may have caused. We take security of the systems of our customers very seriously and do our utmost to provide secure software with minimum defects. We strongly urge all customers to consider the implications of this vulnerability carefully and to make an educated decision on whether or not to update.
======================================================
# SSH Security Alert Mailing List #
----------------------------------------------------
This e-mail has been sent to the users of SSH products and others who have been in contact with us in the past and who have agreed that we send you security alerts.
To unsubscribe from the mailing list, send a blank e-mail to ssh-news-alert-unsubscribe@lists.ssh.com from the e-mail account you wish to unsubscribe, or visit
http://www.ssh.com/company/newsroom/unsubscribe.mpl .
======================================================
Sincerely,
SSH Communications Security >> http://www.ssh.com
Shiho Hashimoto
SSH Communications Security Corp.
Tel: +358 20 500 7470
E-mail:
======================================================
[SSH Tectia Server Private Key Permission Vulnerability in Windows]
< June 30, 2005 >
======================================================
Vendor reference number: RQ #11775
DESCRIPTION
When SSH Tectia Server in Windows generates a host identification key (the Secure Shell host key), it sets insufficient file permissions. As a result, any user who has been successfully authenticated to the server and can access the local file system, can also access the Windows server's host identification key (the Secure Shell host key) without having administrative privileges.
Furthermore, it is possible that this user makes a copy of the server's host identification key and installs it in a server that can now pretend to be the original server. If the authentication on such server relies solely on passwords, it can potentially be used to collect passwords. This exploit would require also other active attacks against the network since connections to the original server would need to be diverted towards the malicious server.
We are not aware of any existing exploits of this specific vulnerability.
AFFECTED PRODUCTS
* SSH Secure Shell for Windows Servers (all versions)
* SSH Tectia Server (Windows) 4.3.1 and older versions
Other than Windows versions are NOT affected.
FIX / WORK-AROUND
SSH Tectia Server 4.3.2 fixes the vulnerability by changing the private key permissions so that the file is only readable by the owner and system accounts. The permissions of existing private keys are changed during the software update and when new private keys are generated, they have the proper permissions set.
Alternatively, the host key file can be made readable only for the Administrator group. The default location of the secret part of the host key is
C:\Program Files\SSH Communications Security\SSH Secure Shell Server\hostkey
The default location of the file may have been modified in the server configuration.
In both cases, whether the SSH Tectia Server software is updated or permissions are manually updated, we strongly recommend updating all old Windows server keys. The SSH Tectia Server 4.3.2 update does not automatically update the keys. Note that once the server key has been updated, a warning message will appear in clients connecting to the server and manual key hash verification is required.
UPDATING SSH TECTIA SERVER
If you have a valid SSH Tectia Server 4.3.x license file, you can get the update package for this product from
http://www.ssh.com/support/downloads/tectia-server/updates-and-packages-4-3.html
SSH Communications Security apologizes for any inconvenience that this vulnerability may have caused. We take security of the systems of our customers very seriously and do our utmost to provide secure software with minimum defects. We strongly urge all customers to consider the implications of this vulnerability carefully and to make an educated decision on whether or not to update.
======================================================
# SSH Security Alert Mailing List #
----------------------------------------------------
This e-mail has been sent to the users of SSH products and others who have been in contact with us in the past and who have agreed that we send you security alerts.
To unsubscribe from the mailing list, send a blank e-mail to ssh-news-alert-unsubscribe@lists.ssh.com from the e-mail account you wish to unsubscribe, or visit
http://www.ssh.com/company/newsroom/unsubscribe.mpl .
======================================================
Sincerely,
SSH Communications Security >> http://www.ssh.com
SSH Corp. Contact
George Adams
SSH Communications Security Corp.
Tel: +1 781 247 2100
E-mail: 
Americas Contact
Byron Rashed
SSH Communications Security, Inc.
Tel: +1 650 251 2721
E-mail: 
Europe Contact
Bo Sorensen
SSH Communications Security Corp.
Tel: +358 20 500 7404
E-mail: 
Investor Relations
Mika Peuranen
SSH Communications Security Corp.
Tel: +358 20 500 7419
E-mail: 
U.S. Agency Contact
Cheryl Seaberg
Walt & Company
Tel: +1 408 496 0900 x 2981
E-mail: 
Shiho Hashimoto
SSH Communications Security Corp.
Tel: +358 20 500 7470
E-mail:
© 2005 SSH Communications Security Corp. All rights reserved. ssh® is a registered trademark of SSH Communications Security Corp in the United States and in certain other jurisdictions. All other names and marks are property of their respective owners.