search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Reflection for Secure IT Windows Server 6.0 changed case sensitivity of allow and deny lists

Vulnerability Note VU#758054

Original Release Date: 2005-08-31 | Last Revised: 2005-09-01

Overview

Reflection for Secure IT Windows Server version 6.0 uses different case-sensitivity in evaluating the allow and deny lists as previous versions, potentionally allowing unintended access.

Description

Reflection for Secure IT Windows Server version 6.0, an SSH server from WRQ formerly known as F-Secure SSH server, provides allow and deny lists of regular expressions to configure the set of accounts that should be able to access the host. Prior to 6.0, these regular expressions were evaluated in a case-insensitive manner. In 6.0, the regular expressions are evaluated in a case-sensitive manner, potentionally allowing an attacker to login to previously-denied accounts.

Impact

A remote attacker may be able to login to previously-denied accounts, if the attacker can authenticate to the account (e.g., he knows the account's password).

Solution

Upgrade

According to WRQ, version 6.0, build 24 of Reflection for Secure IT Windows Server evaluates allow and deny strings in a case-insensitive manner. This restores the prior behavior, but may result in usernames matching the allow list that did not match in prior builds of version 6.0.


Manually Create Expressions

Enter regular expressions that match all case-combinations of the desired strings.

Vendor Information

758054
 
Expand all

WRQ, Inc. Affected

Updated:  August 30, 2005

Status

Affected

Vendor Statement

Problem Correction:

Upgrade to Reflection for Secure IT Windows Server version 6.0 build 24 or, if upgrading is not immediately possible, enter all possible case combinations of the strings in the "Deny login for users" and "Allow login for users" edit fields.

For additional details and server upgrade information, please see:
http://support.wrq.com/techdocs/1867.html

AttachmateWRQ recommends that you bookmark and regularly check the Security Updates and Reflection for Secure IT web page for the latest information about updates and vulnerabilities:
http://support.wrq.com/techdocs/1910.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Note that the upgrade restores case insensitivity, the behavior prior to version 6.0. This may result in usernames matching expressions in the allow list that did not match in earlier versions of Reflect for Secure IT Windows server v6.0.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

F-Secure Corporation Not Affected

Updated:  July 28, 2005

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

http://support.wrq.com/techdocs/1910.html

Acknowledgements

Thanks to WRQ for reporting this issue.

This document was written by Hal Burch.

Other Information

CVE IDs: None
Severity Metric: 1.01
Date Public: 2005-08-25
Date First Published: 2005-08-31
Date Last Updated: 2005-09-01 15:29 UTC
Document Revision: 27

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis