P-257: SSH Tectia Server Private Key Permission Vulnerability in Windows

[***** Start SSH Vendor Reference Number: RQ#11775 *****]

SSH Tectia Server Private Key Permission Vulnerability in Windows 
  
 
 SSH Communications Security >> http://www.ssh.com
======================================================

[SSH Tectia Server Private Key Permission Vulnerability in Windows] 
< June 30, 2005 >

======================================================

Vendor reference number: RQ #11775



DESCRIPTION

When SSH Tectia Server in Windows generates a host identification key (the Secure Shell host key), 
it sets insufficient file permissions. As a result, any user who has been successfully authenticated 
to the server and can access the local file system, can also access the Windows server's host 
identification key (the Secure Shell host key) without having administrative privileges. 

Furthermore, it is possible that this user makes a copy of the server's host identification key and 
installs it in a server that can now pretend to be the original server. If the authentication on such 
server relies solely on passwords, it can potentially be used to collect passwords. This exploit would 
require also other active attacks against the network since connections to the original server would 
need to be diverted towards the malicious server.

We are not aware of any existing exploits of this specific vulnerability.



AFFECTED PRODUCTS

* SSH Secure Shell for Windows Servers (all versions)
* SSH Tectia Server (Windows) 4.3.1 and older versions

Other than Windows versions are NOT affected.



FIX / WORK-AROUND

SSH Tectia Server 4.3.2 fixes the vulnerability by changing the private key permissions so that the 
file is only readable by the owner and system accounts. The permissions of existing private keys are 
changed during the software update and when new private keys are generated, they have the proper permissions 
set.

Alternatively, the host key file can be made readable only for the Administrator group. The default location 
of the secret part of the host key is

C:\Program Files\SSH Communications Security\SSH Secure Shell Server\hostkey

The default location of the file may have been modified in the server configuration.

In both cases, whether the SSH Tectia Server software is updated or permissions are manually updated, we 
strongly recommend updating all old Windows server keys. The SSH Tectia Server 4.3.2 update does not 
automatically update the keys. Note that once the server key has been updated, a warning message will appear 
in clients connecting to the server and manual key hash verification is required.



UPDATING SSH TECTIA SERVER

If you have a valid SSH Tectia Server 4.3.x license file, you can get the update package for this product from 

http://www.ssh.com/support/downloads/tectia-server/updates-and-packages-4-3.html 



SSH Communications Security apologizes for any inconvenience that this vulnerability may have caused. We take 
security of the systems of our customers very seriously and do our utmost to provide secure software with 
minimum defects. We strongly urge all customers to consider the implications of this vulnerability carefully 
and to make an educated decision on whether or not to update.
 


[***** End SSH Vendor Reference Number: RQ#11775 *****]

    Voice:          +1 866-941-2472 (7 x 24)
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov/