US-CERT
Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information
 

 View Notes By
Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric

 Other Documents
Technical Alerts

Technical Bulletins

Alerts

Security Tips

VanDyke Software Information for VU#973635

Date Notified07/25/2005
Date Modified09/09/2005 02:48:27 PM
Status SummaryVulnerable

Vendor Statement

Description:

In VShell versions 2.3.5 and earlier for Windows, when a host key is automatically created by VShell, the host key file inherits the permissions of its parent directory, potentially allowing access to authenticated users.

Affected Product Versions:

- VShell for Windows, version 2.3.5 and earlier.

Solution:

VShell version 2.3.6 will ensure that when a host key is automatically generated, the permissions on the host key file will be set such that only SYSTEM and members of the Administrators group will have access rights.

VShell users with existing host key files can correct the permissions by modifying the Access Control List for the private host key file such that only SYSTEM and Administrators have access.

By default, the private host key file is created as:
  C:\Program Files\VShell\hostkey

Note: If you have configured VShell to run as a user other than SYSTEM, you will need to allow this user access to the host key file.

US-CERT Addendum

Because the hostkey may have been comprised, we also suggest that you create a new hostkey for the system.

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

Produced 2008 by US-CERT, a government organization
Disclaimers and copyright information