News

SSH Tectia Server 4.3/4.4 SFTP Vulnerability

A vulnerability has been found in the SFTP server (sftp-server) component of SSH Tectia Server 4.4.0 and earlier. If you are running an affected product version, read through this document carefully, evaluate the exposure in your environment, and implement the fix based on the implications.

Description

The SFTP server process that enables file transfer operations such as scp2 and sftp2 contains a programming error that can potentially cause a risk to the system security. In certain situations, the file name that is accessed is written to the system log. While this is done, the file name is passed to the logging function so that it is later erroneously processed and may cause uncontrolled stack access.

There are two different ways to exploit the vulnerability:

1) User that is only allowed to run file transfer but not to run other commands on the server may be able to trigger this error and consequently get permission to execute also other commands.

2) User (A) that has logged into a system may be able to create a file that when accessed by other user (B) triggers the error and possibly enable the user (A) to execute a command as a user (B).

In both cases the vulnerability can only be exploited by a user who is an authorized user of the SFTP server.

Affected products

* SSH Tectia Server 4.4.0 (A and T) - all platforms
* SSH Tectia Server 4.3.6 (A and T) and earlier - all platforms
* SSH Secure Shell Server 3.2.9 and earlier - all platforms

The following products are NOT affected:

* SSH Tectia Client
* SSH Tectia Connector
* SSH Tectia Server (M) for IBM mainframes
* SSH Tectia Server 5.x (A, F, and T)

Fix

If you are running an affected version, you should immediately update your servers to SSH Tectia Server 4.3.7 or 4.4.2. Meanwhile, it is possible to disable SFTP server functionality by removing the line that begins with "subsystem-sftp" from the SSH Tectia Server configuration file /etc/ssh2/sshd2_config. After this, file transfer operations (e.g. scp2 and sftp2) with the server are not possible. Once the system has been upgraded, SFTP can be enabled again in the server configuration.

Updating SSH Tectia Server

If you have a valid SSH Tectia Server 4.3 or 4.4 license file, you can get the update package (SSH Tectia Server 4.3.7 or 4.4.2) for this product from:

http://www.ssh.com/support/downloads/

SSH Communications Security apologizes for any inconvenience that this vulnerability may have caused. We take security of the systems of our customers very seriously and do our utmost to provide secure software with minimum defects. We strongly urge all customers to consider the implications of this vulnerability carefully and to make an educated decision on whether or not to update.

About SSH Communications Security

SSH Communications Security is a world-leading provider of enterprise security solutions and end-to-end communications security, and the original developer of the Secure Shell protocol. The company's SSH Tectia solution addresses the most critical needs of large enterprises, financial institutions, and government agencies. With SSH Tectia, organizations can cost-effectively secure their system administration, file transfers and application connectivity against both internal and external security risks. As the original developer of the Secure Shell protocol and other key network security technologies, SSH has for 10 years developed end-to-end communications security solutions specifically for the enterprise. Currently more than 100 of Global Fortune 500 companies are using SSH security solutions. SSH shares are quoted on the Helsinki Exchanges Main List. For more information, please visit www.ssh.com.

© 2005 SSH Communications Security Corp. All rights reserved. ssh® is a registered trademark of SSH Communications Security Corp in the United States and in certain other jurisdictions. All other names and marks are property of their respective owners.