WRQ, Inc. Information for VU#973635

Some SSH servers on Microsoft Windows set insecure permissions for the host identification key file

Status

Affected

Vendor Statement

Products Affected:

  • F-Secure SSH Server for Windows (all versions)
  • Reflection for Secure IT Windows Server (version 6.0 build 19 and older)

Problem Correction:

Upgrade to Reflection for Secure IT Windows Server version 6.0 build 24 or manually change the permissions of the host's private key file (hostkey) to be readable by members of the Administrator's group only. The default location of the file is:
C:\Program Files\F-Secure\ssh server\hostkey.
(You may have modified this location during installation.)

AttachmateWRQ recommends generating new host keys for all Windows servers to ensure that this vulnerability cannot be exploited.  
Note: When server host keys are regenerated, users will receive a warning message stating that the host's key has changed. Let your users know to expect this behavior, or generate and distribute new known_hosts files that include the new keys.

For additional details and server upgrade information, please see:
   http://support.wrq.com/techdocs/1867.html

AttachmateWRQ also recommends that you bookmark and regularly check the Security Updates and Reflection for Secure IT web page for the latest information about updates and vulnerabilities:
   http://support.wrq.com/techdocs/1910.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.