SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   SSH Tectia Server Vendors:   SSH Communications
SSH Tectia Server May Disclose Private Key to Remote Users
SecurityTracker Alert ID:  1009532
SecurityTracker URL:  http://securitytracker.com/id/1009532
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 23 2004
Impact:   Disclosure of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.0.3, 4.0.4
Description:   A vulnerability was reported in the SSH Tectia Server. A remote user may be able to obtain the server's private host key.

SSH Communications reported that there is a vulnerability in the SSH Tectia Server (Unix) 4.0.3 and 4.0.4 code. The flaw reportedly resides in the password change mechanism that executes the "passwd" program during user authentication to change the user's password when the user's password has expired. This feature is not enabled by default, the vendor said.

A user may be able to gain access to the target system's private host key.

The vendor reports that the Windows version of SSH Tectia Server is not affected that that the older SSH Secure Shell Servers are not affected.

Impact:   A remote user may be able to obtain the target server's private key.
Solution:   The vendor has issued a fixed version (4.0.5), available at:

http://www.ssh.com/support/downloads/tectia-server-unix/

For affected systems, SSH recommends host key regeneration after updating.

Vendor URL:  www.ssh.com/company/newsroom/article/520/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  http://www.ssh.com/company/newsroom/article/520/


http://www.ssh.com/company/newsroom/article/520/

 > Helsinki, Finland - March 23, 2004

 > SSH Tectia Server (Unix) 4.0 Vulnerability in "passwd" Program(VU#814918)

SSH.com reported that there is a vulnerability in the SSH Tectia Server (Unix) 4.0.3 and 
4.0.4 code.  The flaw reportedly resides in the password change mechanism that executes 
the "passwd" program during user authentication to change the user's password when the 
user's password has expired.  This feature is not enabled by default, the vendor said.

A user may be able to gain access to the target system's private host key.

The vendor reports that the Windows version of SSH Tectia Server is not affected that that 
the older SSH Secure Shell Servers are not affected.

The vendor has issued a fixed version (4.0.5), available at:

http://www.ssh.com/support/downloads/tectia-server-unix/

For affected systems, SSH recommends host key regeneration after updating.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC