|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
|
WRQ, Inc. Information for VU#419241
| Date Notified: | |
| Date Updated: | |
| Statement Date: | |
| Status Summary: | Vulnerable |
Vendor StatementProducts Affected:
Reflection for Secure IT UNIX Server version 6.0
Reflection for Secure IT Windows Server version 6.0
F-Secure SSH Server for Windows version 5.x
F-Secure SSH Server for UNIX version 3.x through 5.x
Problem Correction:
AttachmateWRQ Reflection for Secure IT and F-Secure SSH Server users should install an upgrade, as specified in WRQ Tech Note 1882 ( http://support.wrq.com/techdocs/1882.html).
The following workaround may prevent exploitation of the vulnerability: On UNIX Servers
1. Edit the SSH server's sshd2_config file:
1. Change the line
subsystem-sftp internal://sftp-server
to
subsystem-sftp sftp-server
Note: This change disallows the use of chroot.
2. Comment out the SftpSyslogFacility keyword line. Note: The line should begin with two "pound" signs, as in this example:
## SftpSyslogFacility LOCAL7
2. Restart the SSH server to read the changes in the configuration file.
On Windows Servers
The only workaround is to disable the sftp subsystem as follows:
1. Edit the SSH server's sshd2_config file and comment out the subsystem-sftp line. Note: The line should begin with two "pound" signs, as in this example:
## subsystem-sftp "fsshsftpd.exe"
2. Restart the SSH server to read the change in the configuration file.
AttachmateWRQ also recommends that you bookmark and regularly check the Security Updates and Reflection for Secure IT web page for the latest information about updates and vulnerabilities:
http://support.wrq.com/techdocs/1910.htmlVendor InformationThe vendor has not provided us with any further information regarding this vulnerability.
Addendum
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
 |
