Vulnerability Alert

SSH Tectia Authentication Bypass Unauthorized Access Vulnerability

 
Threat Type:CWE-264: Permissions, Privileges, and Access Control
IntelliShield ID:27540
Version:3
First Published:2012 December 04 13:52 GMT
Last Published:2012 December 10 16:05 GMT
Port: Not available
CVE:CVE-2012-5975
BugTraq ID:56783
Urgency:Possible use
Credibility:Confirmed
Severity:Moderate Damage
CVSS Base:9.3 CVSS Calculator
CVSS Version 2.0
CVSS Temporal:7.7
 
Version Summary:SSH Communications Security has released a security advisory and updated software to address the SSH Tectia authentication bypass unauthorized access vulnerability.
 
 
Description
SSH Tectia server contains a vulnerability that could allow an unauthenticated, remote attacker to gain unauthorized access to a targeted system.

The vulnerability is due to insufficient security restrictions imposed on the password change feature in the affected system. An unauthenticated, remote attacker could exploit this vulnerability by logging in to the system with an empty password. If successful, the attacker could gain unauthorized access to the system.

Functional code that exploits this vulnerability is available as part of the Metasploit framework.

SSH Communications Security has confirmed this vulnerability and released software updates.
 
Warning Indicators
The following SSH Tectia Server versions are vulnerable:
  • SSH Tectia Server for Unix and Linux prior to 6.3.3
  • SSH Tectia Server for Unix and Linux prior to 6.2.6
  • SSH Tectia Server for Unix and Linux prior to 6.1.13
  • SSH Tectia Server for Unix and Linux prior to 6.0.20
 
IntelliShield Analysis
To exploit this vulnerability, an attacker must establish a connection with an SSH Tectia installation running on UNIX and provide a valid username. The access requirements may make exploitation more difficult.
 
Vendor Announcements
SSH Communications Security has released a security advisory at the following link: CVE-2012-5975
 
Impact
An unauthenticated, remote attacker could exploit this vulnerability to bypass security restrictions and gain unauthorized access with root user to an affected system. The attacker could use this access to launch further attacks.
 
Technical Information
The vulnerability is in the authentication mechanism used by the server while handling login attempts. While logging, the affected software fails to validate the SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ request that could bypass the login routine, forcing a password change request to be generated before password authentication.

An unauthenticated, remote attacker could exploit this vulnerability by logging into a targeted system without a password and forcing a password change request before authentication. Successful exploitation could allow the attacker to gain unauthorized access with root user to the targeted system. The attacker could use this access to launch further attacks.
 
Safeguards
Administrators are advised to apply the appropriate updates.

Administrators are advised to allow only trusted users to have network access.

Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.

Administrators are advised to monitor affected systems.
 
Patches/Software
SSH Communications Security has released software updates for registered users at the following link: SSH Tectia Server for Unix/Linux
 
Alert History
 
Version 2, December 5, 2012, 6:49 AM: Functional code that demonstrates an exploit of the SSH Tectia authentication bypass unauthorized access vulnerability is publicly available.

Version 1, December 4, 2012, 8:52 AM: SSH Tectia server contains a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and gain unauthorized access to a targeted system. Updates are not available.


Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
SSH Communications Security, IncSSH Tectia Server (Unix) 6.0 .0, .1, .2, .3, .4, .5, .11 | 6.1 .9 | 6.2 Base | 6.3 Base

Associated Products:
N/A




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield