Vulnerability Note VU#973635
Some SSH servers on Microsoft Windows set insecure permissions for the host identification key file
SSH provides remote, encrypted terminal access to hosts. Some SSH servers, when running on Microsoft Windows, set insecure permissions on the file storing the private SSH server hostkey. This could allow an authenticated user to obtain the SSH hostkey and use it to impersonate the server.
Some SSH servers create the hostkey with permissions that allow any user to read the file. As a result, any user logged into the system can read the private SSH hostkey.
The hostkey is used to authenticate the server to the client. This defends against redirection attacks, such as DNS hijacking that cause the client to connect to a malicious server. In such cases, clients that know the public hostkey can verify that the server has the private hostkey, thereby verifying the server is correct.
If an attacker copies the private hostkey of a server, they can configure a server with the same private key as the legitimate server. Such a server would appear valid to clients if another attack, such as DNS hijacking, was used to trick the client into connecting to the attacker's server.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|F-Secure||Affected||21 Jul 2005||27 Jul 2005|
|SSH Communications Security||Affected||-||18 Jul 2005|
|VanDyke Software||Affected||25 Jul 2005||12 Aug 2005|
|WRQ, Inc.||Affected||21 Jul 2005||30 Aug 2005|
|Bitvise||Not Affected||07 Sep 2005||08 Sep 2005|
|Cygwin||Unknown||-||25 Jul 2005|
CVSS Metrics (Learn More)
Thanks to SSH Communications Security for reporting this vulnerability.
This document was written by Hal Burch.
- CVE IDs: CAN-2005-2146
- Date Public: 30 Jun 2005
- Date First Published: 18 Jul 2005
- Date Last Updated: 09 Sep 2005
- Severity Metric: 3.45
- Document Revision: 38
If you have feedback, comments, or additional information about this vulnerability, please send us email.