Bugtraq mailing list archives
Re: SafeWord Agent for SSH (secure shell) vulnerability
From: Leif Nixon <nixon () softlab ericsson se>
Date: 29 Nov 2001 12:04:48 +0100
Tony Chimienti <tony_chimienti () securecomputing com> writes:
Clarification on some misrepresentation in the original posting: 1) The SafeWord Agent for SSH was not an SSH server, it in fact was only made up of modified files that were needed for a software build process. This build process would then create the necessary binary files to allow a SSH server to communicate with a SafeWord authentication server. Unfortunately those modified files were based on SSH.com's ssh v1.2.27 which is possibly known to cause a vulnerability on SSH servers.
I'm not sure what this paragraph means, but the product available for download consisted of a compressed tar archive, swagent4ssh.tar.Z. This archive contained documentation, libraries for using the SWEC authentication API (compiled for Linux, Solaris, AIX and HP-UX), a complete distribution of the sources for SSH 1.2.27, with modifications made to two files, configure and auth-passwd.c, and an installation script that automatically built and installed the SSH server. This product *is* an SSH server, in any reasonable interpretation. Moreover, this SSH server *is* vulnerable to a remote root exploit. Please refer to CERT Incident Note IN-2001-12; http://www.cert.org/incident_notes/IN-2001-12.html [I'm skipping the rest of Secure Computing's posting, since it consists primarily of word mincing.] I present this incident as a case study of how *not* to handle a vulnerability in one's product. Please observe the following points: - Although this particular vulnerability in SSH 1.2.27 (and others) was published to Bugtraq on Feb 8, 2001, Secure Computing has seemingly been unaware of it until now. One would think that a security software company would keep track of vulnerabilities in any software they use in their products. - Upon being notified of the vulnerability, instead of responding with alacrity, Secure Computing took no discernible action while time dragged on. Not until the vulnerability in their product was published on Bugtraq did they stop its distribution. - It took additional brow-beating in private correspondence before Secure Computing issued a public advisory, and when it now appears, it is extremely defensive, downplays the vulnerability, and accuses the original reporter of misrepresentation of facts. This is not the way to establish a relation of trust with one's customers. -- Leif Nixon Network Security Ericsson SoftLab AB ---------------------------------------------------------- E-mail: nixon () softlab ericsson se Phone: +46 13 23 57 61 ----------------------------------------------------------
Current thread:
- SafeWord Agent for SSH (secure shell) vulnerability Tony Chimienti (Nov 28)
- Re: SafeWord Agent for SSH (secure shell) vulnerability Leif Nixon (Nov 29)