Reflection for Secure IT Server Security Vulnerability Update and Workaround
Technical Note 1882
Last Reviewed 13-Feb-2006
Applies To
Reflection for Secure IT UNIX Server version 6.0
Reflection for Secure IT Windows Server version 6.0
F-Secure SSH Server for Windows version 5.x
F-Secure SSH Server for UNIX version 3.x through 5.x
Summary
This technical note describes a security vulnerability in Reflection for Secure IT Windows and UNIX Servers and F-Secure SSH Servers for Windows and UNIX. Please evaluate your exposure and either upgrade your systems with the fix we provide or apply the recommended workaround.Overview
AttachmateWRQ Reflection for Secure IT and F-Secure sftp subsystem servers on UNIX and Windows contain a format string vulnerability that may enable an attacker to execute arbitrary code at the privilege of an authenticated user.The Issue
The sftp subsystem logging functionality of the Secure Shell server contains a format string vulnerability.The Impact
A remote attacker may be able to execute arbitrary code at the privilege of the user if the attacker can persuade an authenticated SSH user to stat a specially crafted file. A malicious authenticated user could also launch a denial-of-service attack against the SSH server.Affected Servers
The following versions of the Reflection and F-Secure SSH servers are affected by this issue. Evaluate your exposure and upgrade your systems.- Reflection for Secure IT Windows Server: all 6.x versions
- Reflection for Secure IT UNIX Server: all 6.x versions
- F-Secure SSH Server for Windows: all 5.x versions
- F-Secure SSH Server for UNIX: all 5.x and 3.x versions
The Solution
The issue has been fixed in the following versions and builds, which are available for download from the AttachmateWRQ Download Library. The specific file locations are listed below.Windows Server
-
Reflection for Secure IT Windows Server version 6.0 build 38
F-Secure SSH Server for Windows version 5.3 build 35
UNIX Server
-
Reflection for Secure IT UNIX Server version 6.0.0.9
F-Secure SSH Server for UNIX version 5.0.8
Note: If you have version 3.x of the F-Secure SSH UNIX Server, you can upgrade to a fixed version if your company has a current maintenance agreement. Otherwise, apply the workaround.
Obtaining the Upgrade Files
In the AttachmateWRQ Download Library, the Reflection for Secure IT 6.x products are available from the Upgrades section, and the F-Secure SSH 5.x products are available from the Patches section.Version 6.x. Maintained customers are eligible to download the version 6.x upgrade packages from the AttachmateWRQ Product Upgrade site. You will need the login information sent from AttachmateWRQ to your "ship to" contact.
Follow these steps to download the latest version from the AttachmateWRQ Product Upgrade site.
- To upgrade the Reflection for Secure IT Windows Server, click https://download.wrq.com/Upgrades/DownloadAgreement.aspx?code=RSSW
To upgrade the Reflection for Secure IT UNIX Server, click https://download.wrq.com/Upgrades/DownloadAgreement.aspx?code=RSSU
- Log in with the user name and password you received from AttachmateWRQ.
- Accept the Software License Agreement.
- Click the file name in the Download column. (For UNIX, scroll to the appropriate file for your platform.)
- Follow the usual protocol of uninstalling your previous version before installing the upgrade version.
For more information about installing Reflection for Secure IT server, see the product manual available from http://support.wrq.com/manuals/sshdocs.html.
- Click the appropriate link for your version 5.x product:
For the F-Secure SSH Windows Server: http://patches.download.wrq.com/patches/results.asp?filetype=Patches&title=&Sections=35&language=0&version=&GoForIt=Search
For the F-Secure SSH UNIX Server: http://patches.download.wrq.com/patches/results.asp?filetype=Patches&title=&Sections=34&language=0&version=&GoForIt=Search
When prompted, enter your VPA number.
- Click the appropriate file name. To determine the UNIX platforms, check the Title description.
If prompted, complete the Download Library Registration form.
- On the File Information and Download Page, check the Terms of Use, and then click the File Name to download the file.
- Follow the usual protocol of uninstalling your previous version before installing the upgrade version.
Optional Workaround
If you have an existing installation and are not able to upgrade your SSH server to a fixed version, you can implement the following workaround to ensure that this vulnerability cannot be exploited.On UNIX Servers
- Edit the SSH server's sshd2_config file:
- Change the line
- Change the line
subsystem-sftp internal://sftp-server -
to
subsystem-sftp sftp-server-
Note: This change disallows the use of chroot.
- Comment out the SftpSyslogFacility keyword line. Note: The line should begin with two "pound" signs, as in this example:
## SftpSyslogFacility LOCAL7- Restart the SSH server to read the changes in the configuration file.
On Windows Servers
The only workaround is to disable the sftp subsystem as follows:- Edit the SSH server's sshd2_config file and comment out the subsystem-sftp line. Note: The line should begin with two "pound" signs, as in this example:
## subsystem-sftp "fsshsftpd.exe"- Restart the SSH server to read the change in the configuration file.
Future Updates
AttachmateWRQ posts notifications of security vulnerabilities on our Support site. Check http://support.wrq.com for updates to Reflection products.Related Technical Notes
| 1700 | Reflection Security Topics |
| 1708 | Security Updates and Reflection |
| 1910 | Security Updates and Reflection for Secure IT |
