|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[SA11193] SSH Tectia Server ssh-passwd-plugin Private Host Key Exposure
From: Secunia Security Advisories (sec-adv
secunia.com)
Date: Tue Mar 23 2004 - 14:35:55 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
TITLE:
SSH Tectia Server ssh-passwd-plugin Private Host Key Exposure
SECUNIA ADVISORY ID:
SA11193
VERIFY ADVISORY:
http://secunia.com/advisories/11193/
CRITICAL:
Less critical
IMPACT:
Exposure of sensitive information
WHERE:
Local system
SOFTWARE:
SSH Tectia Server 4.x
DESCRIPTION:
A vulnerability has been discovered in SSH Tectia Server, which can
be exploited by malicious, authenticated users to gain knowledge of
sensitive information.
A race condition in the ssh-passwd-plugin, which is used for changing
users' passwords during user authentication if they have expired, can
be exploited to gain knowledge of the system's private host keys.
The vulnerability affects versions 4.0.3 and 4.0.4 for Unix.
NOTE: The affected plugin is not enabled by default.
SOLUTION:
Update to version 4.0.5.
http://www.ssh.com/support/downloads/tectia-server-unix/
Also remember to regenerate host keys if the
"AuthPassword.ChangePlugin" option was enabled on a vulnerable
version.
PROVIDED AND/OR DISCOVERED BY:
Reported by vendor.
ORIGINAL ADVISORY:
http://www.ssh.com/company/newsroom/article/520/
OTHER REFERENCES:
US-CERT VU#814198:
http://www.kb.cert.org/vuls/id/814198
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
----------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]