Legal Notices | Privacy Policy
Site Map | Refund Policy
Copyright © 1995 -
VanDyke Software, Inc.
All rights reserved.
|
Security Advisory — VShell® 2.x |
|
In VShell versions 2.3.5 and earlier for Windows, when a
host key is automatically created by VShell, the host key
file inherits the permissions of its parent directory,
potentially allowing access to authenticated users.
|
|
Posted: August 16, 2005
Description
Secure Shell provides remote, encrypted terminal access to hosts.
Some Secure Shell servers running on Microsoft Windows (including
VShell prior
to version 2.3.6) set nonsecure permissions on the file storing
the private Secure Shell server host key. This could allow an authenticated
user to obtain the Secure Shell host key and use it to impersonate
the server.
If an attacker copies the private host key of a server, they can
configure another server with the same private key as the legitimate
server. Such a server would appear valid to clients if another
attack, such as DNS hijacking, was used to trick the client into
connecting to the attacker's server.
|
Affected Software Versions
|
VShell for Windows, version 2.3.5 and earlier.
|
| |
|
Vulnerability Fix Downloads
|
VShell 2.3.6 for Windows or later -
http://www.vandyke.com/download/vshell/download.html
|
| |
|
Technical Support
|
For further information on the security advisory, please contact VanDyke Software. |
| |
|
Official Postings
|
US-CERT published an advisory on this vulnerability on July 18, 2005.
VanDyke posted this page on 08/16/2005.
|
| |
|
Revision History
|
August 16, 2005 - Security Advisory published.
|
|
|
