SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#973635

Some SSH servers on Microsoft Windows set insecure permissions for the host identification key file

Overview

SSH provides remote, encrypted terminal access to hosts. Some SSH servers, when running on Microsoft Windows, set insecure permissions on the file storing the private SSH server hostkey. This could allow an authenticated user to obtain the SSH hostkey and use it to impersonate the server.

I. Description

Some SSH servers create the hostkey with permissions that allow any user to read the file. As a result, any user logged into the system can read the private SSH hostkey.

The hostkey is used to authenticate the server to the client. This defends against redirection attacks, such as DNS hijacking that cause the client to connect to a malicious server. In such cases, clients that know the public hostkey can verify that the server has the private hostkey, thereby verifying the server is correct.

II. Impact

If an attacker copies the private hostkey of a server, they can configure a server with the same private key as the legitimate server. Such a server would appear valid to clients if another attack, such as DNS hijacking, was used to trick the client into connecting to the attacker's server.

III. Solution

Upgrade


Upgrade per vendor information.

Hostkey Regeneration

Regardless of how the vulnerability is addressed, the hostkey may already have been compromised. Regenerating the hostkey will address this problem, although SSH clients with the old key will emit warnings when connecting to the server after the hostkey has been regenerated.

Workaround

Correct Permissions

Manually change the permissions on the hostkey file so that only the Administrator group can read the file. The default file in which the private hostkey file is stored varies by vendor.

Systems Affected

VendorStatusDate Updated
BitviseNot Vulnerable8-Sep-2005
CygwinUnknown25-Jul-2005
F-SecureVulnerable27-Jul-2005
SSH Communications SecurityVulnerable18-Jul-2005
VanDyke SoftwareVulnerable12-Aug-2005
WRQ, Inc.Vulnerable30-Aug-2005

References


http://www.ssh.com/company/newsroom/article/653/
http://www.securityfocus.com/infocus/1806
http://secunia.com/advisories/15894
http://www.securityfocus.com/bid/14116/info
http://securitytracker.com/alerts/2005/Jun/1014343.html
http://xforce.iss.net/xforce/xfdb/21217

Credit

Thanks to SSH Communications Security for reporting this vulnerability.

This document was written by Hal Burch.

Other Information

Date Public06/30/2005
Date First Published07/18/2005 03:57:45 PM
Date Last Updated09/09/2005
CERT Advisory 
CVE NameCAN-2005-2146
US-CERT Technical Alerts 
Metric3.45
Document Revision38

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2005 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader