search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Reflection for Secure IT Windows Server can allow login to renamed built-in accounts

Vulnerability Note VU#902110

Original Release Date: 2005-08-31 | Last Revised: 2005-09-16

Overview

WRQ Reflection for Secure IT Windows Server 6.0 can allow a user to login to a Windows built-in account with the default name (Administrator and Guest) after they are renamed.

Description

Microsoft Windows includes the built-in accounts Administrator and Guest. If those accounts are renamed after SSH key authentication has been configured, the SSH keys associated with the account before the rename may continue to be accepted for authentication by Reflection for Secure IT Windows Server 6.0.

Impact

A malicious user can use the SSH keys of the account before the rename to gain authenticated access.

Solution

Workaround #1 (from WRQ):

Change the server configuration using the GUI as follows:

    1. Add the string 'administrator' (without the quotation marks) to the Deny login for users in User Restrictions.
    2. Create a subconfiguration entry in the Advanced screen by adding a UserSpecificConfig line to the end of the file, for example: "UserSpecificConfig  New-Admin-Name  admin.config"
    3. Click the Apply button to notify the running server of the changes.
    4. Create a file named admin.config in the folder where the server was installed (usually C:\Program Files\F-Secure\ssh server) that contains the following line:
    UserConfigDirectory "C:\\Documents and Settings\\administrator\\.ssh2"

    Note: The doubled back slashes ( \\ )are required. Both the sshd2_config and admin.config files should have their file protections changed to permit only the Administrator group to access to these files.

    Workaround #2 (from WRQ):

    Create a folder in the "Documents and Settings" folder with the renamed user name (such as, New-Admin-Name) and create an .ssh2 folder there (for example, C:\Documents and Settings\New-Admin-Name\.ssh2. Then move - do not copy - all public key files and the authorization file to this new folder.

    Remember to set the file protections on these folders to permit only the New-Admin-Name user access to these files.

    Vendor Information

    902110
     
    Expand all

    WRQ, Inc. Affected

    Updated:  July 28, 2005

    Status

    Affected

    Vendor Statement

    Workaround #1:

    Change the server configuration using the GUI as follows:

      1. Add the string 'administrator' (without the quotation marks) to the Deny login for users in User Restrictions.
      2. Create a subconfiguration entry in the Advanced screen by adding a UserSpecificConfig line to the end of the file, for example: "UserSpecificConfig  New-Admin-Name  admin.config"
      3. Click the Apply button to notify the running server of the changes.
      4. Create a file named admin.config in the folder where the server was installed (usually C:\Program Files\F-Secure\ssh server) that contains the following line:
      UserConfigDirectory "C:\\Documents and Settings\\administrator\\.ssh2"

      Note: The doubled \\ are required. Both the sshd2_config and admin.config files should have their file protections changed to permit only the Administrator group to access to these files.

      Workaround #2:

      Create a folder in the "Documents and Settings" folder with the renamed user name (such as, New-Admin-Name) and create a .ssh2 folder there (for example, C:\Documents and Settings\New-Admin-Name\.ssh2. Then move - do not copy - all public key files and the authorization file to this new folder.

      Remember to set the file protections on these folders to permit only the New-Admin-Name user access to these files.

      Vendor Information

      The vendor has not provided us with any further information regarding this vulnerability.

      F-Secure Corporation Not Affected

      Updated:  July 28, 2005

      Status

      Not Affected

      Vendor Statement

      We have not received a statement from the vendor.

      Vendor Information

      The vendor has not provided us with any further information regarding this vulnerability.

      Addendum

      According to WRQ, F-Secure SSH for Windows did not support this type of authentication, and is therefore not vulnerable.

      If you have feedback, comments, or additional information about this vulnerability, please send us email.


      CVSS Metrics

      Group Score Vector
      Base
      Temporal
      Environmental

      References

      http://support.wrq.com/techdocs/1910.html

      Acknowledgements

      Thanks to WRQ for reporting this issue.

      This document was written by Hal Burch.

      Other Information

      CVE IDs: None
      Severity Metric: 0.11
      Date Public: 2005-08-25
      Date First Published: 2005-08-31
      Date Last Updated: 2005-09-16 14:55 UTC
      Document Revision: 15

      Sponsored by CISA.

      Download PGP Key

      Read CERT/CC Blog

      Learn about Vulnerability Analysis