|
Posted: August 16, 2005
Description
Secure Shell provides remote, encrypted terminal access to hosts.
Some Secure Shell servers running on Microsoft Windows (including
VShell prior
to version 2.3.6) set nonsecure permissions on the file storing
the private Secure Shell server host key. This could allow an authenticated
user to obtain the Secure Shell host key and use it to impersonate
the server.
If an attacker copies the private host key of a server, they can
configure another server with the same private key as the legitimate
server. Such a server would appear valid to clients if another
attack, such as DNS hijacking, was used to trick the client into
connecting to the attacker's server.
|
Affected Software Versions
|
VShell for Windows, version 2.3.5 and earlier.
|
| |
|
Vulnerability Fix Downloads
|
VShell 2.3.6 for Windows or later -
http://www.vandyke.com/download/vshell/download.html
|
| |
|
Technical Support
|
For further information on the security advisory, please contact VanDyke Software. |
| |
|
Official Postings
|
US-CERT published an advisory on this vulnerability on July 18, 2005.
VanDyke posted this page on 08/16/2005.
|
| |
|
Revision History
|
August 16, 2005 - Security Advisory published.
|
|
