Bitvise Not Affected

Notified:  September 07, 2005 Updated: September 08, 2005

Status

Not Affected

Vendor Statement

Bitvise SSH server for Windows, WinSSHD, is not affected by this issue. The server's private key is stored in the WinSSHD registry key with permissions properly set by the installation program, restricting access to administrators and the Local System account only.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Cygwin Unknown

Updated:  July 25, 2005

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

F-Secure Affected

Notified:  July 21, 2005 Updated: July 27, 2005

Status

Affected

Vendor Statement

All versions of the F-Secure SSH Server for Windows and Reflection for Secure IT server for SSH on Windows are subject to the hostkey vulnerability. For details of workarounds or to request an upgrade to fix the vulnerability, please contact AttachmateWRQ technical support: http://support.wrq.com/programs/requesting_support.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

SSH Communications Security Affected

Updated:  July 18, 2005

Status

Affected

Vendor Statement

Affected Productions SSH Secure Shell for Windows Servers (all versions) SSH Tectia Server (Windows) 4.3.1 and older versions Remediation 1a) Update the SSH Tectia Server For Windows installation to version 4.3.2, or 1b) Manually make the hostkey file readable only for Administrator group. Default location of file may have been modified in server configuration. However, the default location of the secret part of the host key is C:\Program Files\SSH Communications Security\SSH Secure Shell Server\hostkey and optionally in systems, that were upgraded 2) Generate a new hostkey for system. Caution! The changed hostkey causes warning in clients connecting to the system.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Because the hostkey may have been comprised, we also suggest that you create a new hostkey for the system.

VanDyke Software Affected

Notified:  July 25, 2005 Updated: August 12, 2005

Status

Affected

Vendor Statement

Description: In VShell versions 2.3.5 and earlier for Windows, when a host key is automatically created by VShell, the host key file inherits the permissions of its parent directory, potentially allowing access to authenticated users. Affected Product Versions: - VShell for Windows, version 2.3.5 and earlier. Solution: VShell version 2.3.6 will ensure that when a host key is automatically generated, the permissions on the host key file will be set such that only SYSTEM and members of the Administrators group will have access rights. VShell users with existing host key files can correct the permissions by modifying the Access Control List for the private host key file such that only SYSTEM and Administrators have access. By default, the private host key file is created as: C:\Program Files\VShell\hostkey Note: If you have configured VShell to run as a user other than SYSTEM, you will need to allow this user access to the host key file.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Because the hostkey may have been comprised, we also suggest that you create a new hostkey for the system.

WRQ, Inc. Affected

Notified:  July 21, 2005 Updated: August 30, 2005

Status

Affected

Vendor Statement

Products Affected: F-Secure SSH Server for Windows (all versions) Reflection for Secure IT Windows Server (version 6.0 build 19 and older) Problem Correction: Upgrade to Reflection for Secure IT Windows Server version 6.0 build 24 or manually change the permissions of the host's private key file (hostkey) to be readable by members of the Administrator's group only. The default location of the file is: C:\Program Files\F-Secure\ssh server\hostkey. (You may have modified this location during installation.) AttachmateWRQ recommends generating new host keys for all Windows servers to ensure that this vulnerability cannot be exploited. Note: When server host keys are regenerated, users will receive a warning message stating that the host's key has changed. Let your users know to expect this behavior, or generate and distribute new known_hosts files that include the new keys. For additional details and server upgrade information, please see: http://support.wrq.com/techdocs/1867.html AttachmateWRQ also recommends that you bookmark and regularly check the Security Updates and Reflection for Secure IT web page for the latest information about updates and vulnerabilities: http://support.wrq.com/techdocs/1910.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.