login about faq

On Sunday December 2, 2012, a remote authentication bypass vulnerability was disclosed which affects the current Unix/Linux versions of Tectia SSH Server.

What versions are affected and is there a workaround?

asked Dec 03 '12 at 18:50

SSH%20KB's gravatar image

SSH KB ♦
509249246237

edited Dec 03 '12 at 19:02

Roman's gravatar image

Roman ♦♦
7735817


SUMMARY On Sunday December 2, 2012, a remote authentication bypass vulnerability was disclosed which affects the current Unix/Linux versions of Tectia SSH Server. This does not affect client. Windows and zOS servers are not affected. Servers that have "old-style" password authentication already disabled are not affected. Password authentication through keyboard-interactive authentication is safe.

This vulnerability exploits a bug in the SSH USERAUTH CHANGE REQUEST function. This vulnerability has been confirmed by internal testing.

A workaround is to disable "old-style" password authentication on affected versions. The bug only affects “old-style” password authentication. Keyboard-interactive, GSSAPI, and public key authentication methods are not affected.

AFFECTED PRODUCTS AND VERSIONS

  • SSH Tectia Server 6.0.4 to 6.0.19
  • SSH Tectia Server 6.1.0 to 6.1.12
  • SSH Tectia Server 6.2.0 to 6.2.5
  • SSH Tectia Server 6.3.0 to 6.3.2

CURRENT SITUATION Effective workaround exists. Updated versions providing a permanent fix to this issue are in testing and are expected to be released within the next 24-48 hours.

WORKAROUND An immediate workaround is to disable “old-style” password authentication by editing the /etc/ssh2/ssh-server-config.xml configuration file. Comment out the line (all of them if multiple) containing <auth-password /> In XML, comment syntax is <!-- … -->, i.e., change the line to: <!-- <auth-password /> -->

WE STRONGLY ADVISE MAKING THIS CHANGE IMMEDIATELY, AT LEAST ON ALL EXTERNAL FACING SERVERS.

We will not provide a script for making this change automatically as communicated previously. We encourage to upgrade to the patched version that will be released in a few hours, or modify the configuration files manually in the meantime.

Note: it is also good to make sure you have keyboard-interactive enabled so that you do not completely prevent password authentication, i.e., that the following is in the server configuration file:

<auth-keyboard-interactive>
<submethod-password />
</auth-keyboard-interactive>
link

answered Dec 03 '12 at 18:52

SSH%20KB's gravatar image

SSH KB ♦
509249246237

edited Dec 29 '14 at 10:22

SSH has already released fixes for this for all affected versions. Please, read more here:

link

answered Dec 05 '12 at 18:04

bca's gravatar image

bca ♦♦
4691012

edited Dec 05 '12 at 18:06

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×17
×2
×1

Asked: Dec 03 '12 at 18:50

Seen: 16,407 times

Last updated: Dec 29 '14 at 10:22

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.