WRQ, Inc. Information for VU#902110

Home | FAQ | Contact | Privacy Policy

Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information

View Notes By

Other Documents

WRQ, Inc. Information for VU#902110

Date Notified:
Date Updated:
Statement Date:
Status Summary:	Vulnerable

Vendor Statement

Workaround #1:

Change the server configuration using the GUI as follows:

Add the string 'administrator' (without the quotation marks) to the Deny login for users in User Restrictions.
Create a subconfiguration entry in the Advanced screen by adding a UserSpecificConfig line to the end of the file, for example: "UserSpecificConfig New-Admin-Name admin.config"
Click the Apply button to notify the running server of the changes.
Create a file named admin.config in the folder where the server was installed (usually C:\Program Files\F-Secure\ssh server) that contains the following line:

UserConfigDirectory "C:\\Documents and Settings\\administrator\\.ssh2"

Note: The doubled \\ are required. Both the sshd2_config and admin.config files should have their file protections changed to permit only the Administrator group to access to these files.

Workaround #2:

Create a folder in the "Documents and Settings" folder with the renamed user name (such as, New-Admin-Name) and create a .ssh2 folder there (for example, C:\Documents and Settings\New-Admin-Name\.ssh2. Then move - do not copy - all public key files and the authorization file to this new folder.

Remember to set the file protections on these folders to permit only the New-Admin-Name user access to these files.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Produced 2009 by US-CERT, a government organization
Disclaimers and copyright information