SSH Communications Security Information for VU#973635

Some SSH servers on Microsoft Windows set insecure permissions for the host identification key file

Status

Affected

Vendor Statement

Affected Productions

  • SSH Secure Shell for Windows Servers (all versions)
  • SSH Tectia Server (Windows) 4.3.1 and older versions

Remediation

1a) Update the SSH Tectia Server For Windows installation to version 4.3.2, or
1b) Manually make the hostkey file readable only for Administrator group. Default location of file may have been modified in server configuration.
However, the default location of the secret part of the host key is
C:\Program Files\SSH Communications Security\SSH Secure Shell Server\hostkey

and optionally in systems, that were upgraded

2) Generate a new hostkey for system. Caution! The changed hostkey causes warning in clients connecting to the system.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

Because the hostkey may have been comprised, we also suggest that you create a new hostkey for the system.

If you have feedback, comments, or additional information about this vulnerability, please send us email.