News

Vendor reference number: RQ #14291

In our internal ongoing quality assurance, which is constantly done also for general availability releases, we have found a bug in the Management Agent component of the SSH Tectia Manager software that can under certain rare circumstances cause the Unix management agent to restart a non-privileged process with root permissions.

DESCRIPTION

The exact conditions for the vulnerability to occur are the following:
1) The real managed sshd binary has stopped.
2) User has started his own non-privileged binary called sshd.
3) Management agent is instructed to restart the sshd server by pressing the Management server "Restart" button in Management server GUI.
4) Management agent reads through the process list, kills the non-privileged sshd server, and restarts the same binary with root permissions.

By exploiting the vulnerability, local user can gain root/privileged access to the local server.

AFFECTED PRODUCTS

The affected products are:

• SSH Tectia Manager version 2.1.2 – Management Agent (and older versions)

The vulnerability affects Management Agents on the following OS versions:

• HP-UX 11.00, 11i v1 (PA-RISC)
  
• HP-UX 11i v1.6, 11i v2 (IA64)
  
• IBM AIX 4.3.3, 5.1, 5.2, 5.3 (POWER)
  
• Red Hat Linux 7.3, 8.0, 9 (x86)
  
• Red Hat Enterprise Linux 3, 4 (x86)
  
• Sun Solaris 2.6, 7, 8, 9, 10 (SPARC)
  
• SUSE LINUX 9.0, 9.1, 9.2 Professional (x86)
  
• SUSE LINUX Enterprise Server 9 (x86)

FIX

Upgrade to one of the non-vulnerable product versions:

• SSH Tectia Manager 2.1.3
  
• SSH Tectia Manager 2.2.0

SSH Communications Security apologizes for any inconvenience that this vulnerability may have caused. We take security of the systems of our customers very seriously and do our utmost to provide secure software with minimum defects. We strongly urge all customers to consider the implications of this vulnerability carefully and to make an educated decision on whether or not to update.