VanDyke Software Information for VU#973635

Some SSH servers on Microsoft Windows set insecure permissions for the host identification key file

Status

Affected

Vendor Statement

Description:

In VShell versions 2.3.5 and earlier for Windows, when a host key is automatically created by VShell, the host key file inherits the permissions of its parent directory, potentially allowing access to authenticated users.

Affected Product Versions:

- VShell for Windows, version 2.3.5 and earlier.

Solution:

VShell version 2.3.6 will ensure that when a host key is automatically generated, the permissions on the host key file will be set such that only SYSTEM and members of the Administrators group will have access rights.

VShell users with existing host key files can correct the permissions by modifying the Access Control List for the private host key file such that only SYSTEM and Administrators have access.

By default, the private host key file is created as:
  C:\Program Files\VShell\hostkey

Note: If you have configured VShell to run as a user other than SYSTEM, you will need to allow this user access to the host key file.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

Because the hostkey may have been comprised, we also suggest that you create a new hostkey for the system.

If you have feedback, comments, or additional information about this vulnerability, please send us email.