Helsinki, Finland -
December 15, 2005
SSH Tectia Server 5.0.0 Host-Based Authentication Vulnerability
SSH Communications Security >> http://www.ssh.com
======================================================
[SSH Tectia Server 5.0.0 Host-Based Authentication Vulnerability]
December 15, 2005
======================================================
Vendor reference number: RQ #13139
In our internal ongoing quality assurance, which is constantly done also for
general availability releases, we have found a bug related to host-based
authentication in SSH Tectia Server 5.0.0. This bug can create vulnerability
in systems that exclusively rely on host-based authentication.
version 5.0.0 when the server is configured to allow user login with
host-based authentication only.
Exploit of the vulnerability would require that the attacker first logs in
to a host, which is specified as an authorized host in the vulnerable
server. This means that the vulnerability cannot be exploited by connecting
to the server from an arbitrary host.
Older SSH Tectia Server versions are NOT affected. SSH Tectia Server (M) for
IBM mainframes is NOT affected.
Note that host-based authentication is NOT enabled by default in SSH Tectia
Server 5.0.0.
should immediately disable that authentication method. Next, you should
update SSH Tectia Server 5.0.0 to SSH Tectia Server 5.0.1, which will fix
the vulnerability. Once the update has been made, you can safely enable
host-based authentication again.
update package for this product from:
http://www.ssh.com/support/downloads/tectia-server/updates-and-packages-5-0.html
SSH Communications Security apologizes for any inconvenience that this
vulnerability may have caused. We take security of the systems of our
customers very seriously and do our utmost to provide secure software with
minimum defects. We strongly urge all customers to consider the implications
of this vulnerability carefully and to make an educated decision on whether
or not to update.
======================================================
# SSH Security Alert Mailing List #
------------------------------------------------------
This e-mail has been sent to the users of SSH products and others who have
been in contact with us in the past and who have agreed that we send you
security alerts.
To unsubscribe from the mailing list, send a blank e-mail to
ssh-news-alert-unsubscribe@lists.ssh.com from the e-mail account you wish to
unsubscribe, or visit
http://www.ssh.com/company/newsroom/unsubscribe.mpl.
======================================================
Sincerely,
SSH Communications Security >> http://www.ssh.com
======================================================
[SSH Tectia Server 5.0.0 Host-Based Authentication Vulnerability]
December 15, 2005
======================================================
Vendor reference number: RQ #13139
In our internal ongoing quality assurance, which is constantly done also for
general availability releases, we have found a bug related to host-based
authentication in SSH Tectia Server 5.0.0. This bug can create vulnerability
in systems that exclusively rely on host-based authentication.
DESCRIPTION
User can log in with wrong credentials to a server running SSH Tectia Serverversion 5.0.0 when the server is configured to allow user login with
host-based authentication only.
Exploit of the vulnerability would require that the attacker first logs in
to a host, which is specified as an authorized host in the vulnerable
server. This means that the vulnerability cannot be exploited by connecting
to the server from an arbitrary host.
AFFECTED PRODUCTS
* SSH Tectia Server 5.0.0 (A, F, and T) (all Windows, Linux and Unix)Older SSH Tectia Server versions are NOT affected. SSH Tectia Server (M) for
IBM mainframes is NOT affected.
Note that host-based authentication is NOT enabled by default in SSH Tectia
Server 5.0.0.
FIX / WORK-AROUND
If you are using host-based authentication in SSH Tectia Server 5.0.0, youshould immediately disable that authentication method. Next, you should
update SSH Tectia Server 5.0.0 to SSH Tectia Server 5.0.1, which will fix
the vulnerability. Once the update has been made, you can safely enable
host-based authentication again.
UPDATING SSH TECTIA SERVER
If you have a valid SSH Tectia Server 5.0.0 license file, you can get theupdate package for this product from:
http://www.ssh.com/support/downloads/tectia-server/updates-and-packages-5-0.html
SSH Communications Security apologizes for any inconvenience that this
vulnerability may have caused. We take security of the systems of our
customers very seriously and do our utmost to provide secure software with
minimum defects. We strongly urge all customers to consider the implications
of this vulnerability carefully and to make an educated decision on whether
or not to update.
======================================================
# SSH Security Alert Mailing List #
------------------------------------------------------
This e-mail has been sent to the users of SSH products and others who have
been in contact with us in the past and who have agreed that we send you
security alerts.
To unsubscribe from the mailing list, send a blank e-mail to
ssh-news-alert-unsubscribe@lists.ssh.com from the e-mail account you wish to
unsubscribe, or visit
http://www.ssh.com/company/newsroom/unsubscribe.mpl.
======================================================
Sincerely,
SSH Communications Security >> http://www.ssh.com
SSH Corp. Contact
George Adams
SSH Communications Security Corp.
Tel: +1 781 247 2100
E-mail: 
Americas Contact
Byron Rashed
SSH Communications Security, Inc.
Tel: +1 650 251 2721
E-mail: 
Europe Contact
Bo Sorensen
SSH Communications Security Corp.
Tel: +358 20 500 7404
E-mail: 
Investor Relations
Mika Peuranen
SSH Communications Security Corp.
Tel: +358 20 500 7419
E-mail: 
U.S. Agency Contact
Cheryl Seaberg
Walt & Company
Tel: +1 408 496 0900 x 2981
E-mail: 
© 2005 SSH Communications Security Corp. All rights reserved. ssh® is a registered trademark of SSH Communications Security Corp in the United States and in certain other jurisdictions. All other names and marks are property of their respective owners.