Vulnerability Note VU#419241
Multiple vendor SFTP logging format string vulnerability
A logging function used by multiple vendors' SFTP servers contains a format string vulnerability, which may allow an authorized remote attacker to execute arbitrary code or cause a denial of service.
SFTP (Secure FTP) is a file transfer application that uses SSH for encryption.
A remote authenticated attacker may be able to execute arbitrary code with the privilege of the user or cause a denial of service to the SSH server.
Upgrade or patch
1. Edit the SSH server's sshd2_config file:
1. Change the line
Note: This change disallows the use of chroot.
2. Comment out the SftpSyslogFacility keyword line. Note: The line should begin with two "pound" signs, as in this example:
## SftpSyslogFacility LOCAL7
2. Restart the SSH server to read the changes in the configuration file.
On Windows Servers
The only workaround is to disable the sftp subsystem as follows:
1. Edit the SSH server's sshd2_config file and comment out the subsystem-sftp line. Note: The line should begin with two "pound" signs, as in this example:
## subsystem-sftp "fsshsftpd.exe"
2. Restart the SSH server to read the change in the configuration file.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|F-Secure Corporation||Affected||16 Jan 2006||15 Feb 2006|
|WRQ, Inc.||Affected||-||15 Feb 2006|
|Bitvise||Not Affected||16 Jan 2006||17 Jan 2006|
|InterSoft International||Not Affected||16 Jan 2006||18 Jan 2006|
|MacSSH||Not Affected||16 Jan 2006||16 Jan 2006|
|OSSH||Not Affected||16 Jan 2006||16 Jan 2006|
|PuTTY||Not Affected||16 Jan 2006||16 Jan 2006|
|VanDyke Software||Not Affected||16 Jan 2006||17 Jan 2006|
|FiSSH||Unknown||16 Jan 2006||16 Jan 2006|
|lsh||Unknown||16 Jan 2006||16 Jan 2006|
|OpenSSH||Unknown||16 Jan 2006||16 Jan 2006|
|Pragma Systems||Unknown||16 Jan 2006||16 Jan 2006|
|TTSSH||Unknown||16 Jan 2006||16 Jan 2006|
|WinSCP||Unknown||16 Jan 2006||16 Jan 2006|
CVSS Metrics (Learn More)
Thanks to WRQ for reporting this vulnerability.
This document was written by Will Dormann.
- CVE IDs: Unknown
- Date Public: 13 Feb 2006
- Date First Published: 13 Feb 2006
- Date Last Updated: 15 Feb 2006
- Severity Metric: 3.37
- Document Revision: 9
If you have feedback, comments, or additional information about this vulnerability, please send us email.