SSH Communications Security has released a security advisory and updated software to address the SSH Tectia authentication bypass unauthorized access vulnerability.
SSH Tectia server contains a vulnerability that could allow an unauthenticated, remote attacker to gain unauthorized access to a targeted system.
The vulnerability is due to insufficient security restrictions imposed on the password change feature in the affected system. An unauthenticated, remote attacker could exploit this vulnerability by logging in to the system with an empty password. If successful, the attacker could gain unauthorized access to the system.
Functional code that exploits this vulnerability is available as part of the Metasploit framework.
SSH Communications Security has confirmed this vulnerability and released software updates.
The following SSH Tectia Server versions are vulnerable:
SSH Tectia Server for Unix and Linux prior to 6.3.3
SSH Tectia Server for Unix and Linux prior to 6.2.6
SSH Tectia Server for Unix and Linux prior to 6.1.13
SSH Tectia Server for Unix and Linux prior to 6.0.20
To exploit this vulnerability, an attacker must establish a connection with an SSH Tectia installation running on UNIX and provide a valid username. The access requirements may make exploitation more difficult.
SSH Communications Security has released a security advisory at the following link: CVE-2012-5975
An unauthenticated, remote attacker could exploit this vulnerability to bypass security restrictions and gain unauthorized access with root user to an affected system. The attacker could use this access to launch further attacks.
The vulnerability is in the authentication mechanism used by the server while handling login attempts. While logging, the affected software fails to validate the SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ request that could bypass the login routine, forcing a password change request to be generated before password authentication.
An unauthenticated, remote attacker could exploit this vulnerability by logging into a targeted system without a password and forcing a password change request before authentication. Successful exploitation could allow the attacker to gain unauthorized access with root user to the targeted system. The attacker could use this access to launch further attacks.
Administrators are advised to apply the appropriate updates.
Administrators are advised to allow only trusted users to have network access.
Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.
Administrators are advised to monitor affected systems.
Version 2, December 5, 2012, 6:49 AM: Functional code that demonstrates an exploit of the SSH Tectia authentication bypass unauthorized access vulnerability is publicly available.
Version 1, December 4, 2012, 8:52 AM: SSH Tectia server contains a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and gain unauthorized access to a targeted system. Updates are not available.
The security vulnerability applies to the following combinations of products.
SSH Communications Security, Inc
SSH Tectia Server (Unix)
6.0 .0, .1, .2, .3, .4, .5, .11 | 6.1 .9 | 6.2 Base | 6.3 Base
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.