|
|
|
Reflection for Secure IT Server Security Vulnerability Update and Workaround: SFTP Subsystem Server
Technical Note 1882
Last Reviewed 02-Apr-2009
Applies To
Reflection for Secure IT UNIX Server version 6.0
Reflection for Secure IT Windows Server version 6.0
F-Secure SSH Server for Windows version 5.x
F-Secure SSH Server for UNIX version 3.x through 5.x
Summary
Technical Note 1882
Last Reviewed 02-Apr-2009
Applies To
Reflection for Secure IT UNIX Server version 6.0
Reflection for Secure IT Windows Server version 6.0
F-Secure SSH Server for Windows version 5.x
F-Secure SSH Server for UNIX version 3.x through 5.x
Summary
This technical note describes a security vulnerability in Reflection for Secure IT Windows and UNIX Servers and F-Secure SSH Servers for Windows and UNIX. Please evaluate your exposure and either upgrade your systems with the fix we provide or apply the recommended workaround.
Note: This issue does not apply to Reflection for Secure IT UNIX or Windows Server version 6.1 and higher.
Overview
The logging functionality in the sftp subsystem of the Attachmate Reflection for Secure IT and F-Secure servers on UNIX and Windows contains a format string vulnerability. If a remote attacker can persuade an authenticated SSH user to stat a specially crafted file the sftp subsystem might execute arbitrary code at the privilege level of the user. A malicious authenticated user could also launch a denial-of-service attack against the SSH server.
Solution
The issue has been fixed in the following versions and builds, which are available for download from the Attachmate Download Library.
Windows Server
Reflection for Secure IT Windows Server version 6.1 and higher
Reflection for Secure IT Windows Server version 6.0 build 38
F-Secure SSH Server for Windows version 5.3 build 35
Reflection for Secure IT Windows Server version 6.0 build 38
F-Secure SSH Server for Windows version 5.3 build 35
UNIX Server
Reflection for Secure IT UNIX Server version 6.1 and higher
Reflection for Secure IT UNIX Server version 6.0.0.9
F-Secure SSH Server for UNIX version 5.0.8
Reflection for Secure IT UNIX Server version 6.0.0.9
F-Secure SSH Server for UNIX version 5.0.8
Please upgrade your installation to address the vulnerability.
Obtaining the Upgrade Files
Maintained customers are eligible to download the updated packages from https://download.attachmate.com/Upgrades/. You will need the login information sent to you from Attachmate.
If you have questions about the using the Download Library site, see Technical Note 0200.
Optional Workaround
If you are not able to upgrade your SSH server to a fixed version, you can implement the following workaround to ensure that this vulnerability cannot be exploited.
On UNIX Servers
- Edit the SSH server's sshd2_config file:
- Change the line
subsystem-sftp internal://sftp-server to
subsystem-sftp sftp-serverNote: This change disallows the use of chroot.
- Comment out the SftpSyslogFacility keyword line. Note: The line should begin with two hash marks, as in this example:
## SftpSyslogFacility LOCAL7- Restart the SSH server.
On Windows Servers
The only workaround is to disable the sftp subsystem. To disable the subsystem, follow the steps below.
Note: Disabling the sftp subsystem disables sftp file transfer support.
- Edit the SSH server's sshd2_config file and comment out the subsystem-sftp line. Note: The line should begin with two hash marks, as in this example:
## subsystem-sftp "fsshsftpd.exe"- Restart the SSH server.
Future Updates
Attachmate posts notifications of security vulnerabilities on our Support site. See Technical Note 1700 for information about security updates to Reflection products.
