News

Vendor reference number: RQ #13895

A new vulnerability related to pathname parsing has been found in the Windows versions of the SSH Tectia Client/Server/Connector products and the Management Agent component of the SSH Tectia Manager product. The vulnerability can only be exploited by local users that have high enough privileges to create files to the root of the system disc or “Program Files” folder or its subfolder in Windows. The vulnerability cannot be exploited remotely.

DESCRIPTION

Windows versions of the SSH Tectia products have a pathname parsing bug in the sub-process execution. If local users are allowed to create files to the root of the system disc or to the "Program Files" folder or its subfolders, it is possible for a user to plant an executable into the system so that it gets executed instead of the correct SSH Tectia sub-component. In effect, this can cause unauthorized program to be launched with system or another user’s privileges.

AFFECTED PRODUCTS

All Windows platforms are affected for the following products:

• SSH Tectia Client/Server/Connector 5.0.0 and 5.0.1
  
• SSH Tectia Client/Server version 4.4.5 (and older)
  
• SSH Tectia Client version 4.3.8K (and older Korean versions)
  
• SSH Tectia Client version 4.3.1J (and older Japanese versions)
  
• SSH Tectia Manager version 2.1.2 (and older versions) – Management Agent

FIX

Prohibiting local unprivileged users from creating files to the root of the system disc, “Program Files” folder, SSH Tectia Folder and its subfolders can prevent vulnerability. The vulnerability has been fixed in the following product versions:

• SSH Tectia Server/Client 4.4.6
  
• SSH Tectia Server/Client/Connector 5.0.2
  
• SSH Tectia Server/Client/Connector 5.1.0
  
• SSH Tectia Client 4.3.9K
  
• SSH Tectia Client 4.3.2J
  
• SSH Tectia Manager 2.1.3
  
• SSH Tectia Manager 2.2.0

If you have a valid license file for one of the above product versions, you can get the updated package from:

http://www.ssh.com/support/downloads/

ACKNOWLEDGEMENTS

We would like to thank Mr. Charles Morris (http://www.cs.odu.edu/~cmorris/) for reporting this issue.


SSH Communications Security apologizes for any inconvenience that this vulnerability may have caused. We take security of the systems of our customers very seriously and do our utmost to provide secure software with minimum defects. We strongly urge all customers to consider the implications of this vulnerability carefully and to make an educated decision on whether or not to update.