The SSH Communications Security Tectia Client and Server products are vulnerable to privilege escalation, which may allow a local user to gain root access.
The SSH Tectia Client and Server products contain an unspecified privilege escalation vulnerability in
ssh-signer. A local user may be able to obtain root access. According to SSH Communications Security:
* SSH Tectia client and SSH Tectia Server 5.0, 5.1, 5.2 and 5.3 up to 5.2.3 and 5.3.5 (all Linux and Unix)
NOT AFFECTED PRODUCTS
4.x or older SSH Tectia client/server solution versions are NOT affected.
Any version of SSH Tectia client/server solution for IBM mainframes is NOT affected.
* Any version of SSH Tectia client/server solution for Windows is NOT affected.
A local user may be able to obtain root access.
Apply an update
This issue is addressed in SSH Tectia Client/Server solution 5.2.4 and 5.3.6.
This vulnerability can be mitigated by removing the
ssh-signer binary, which is located in
/opt/tectia/``libexec``/. Note that this will disable host-based authentication of the SSH Tectia Client. This will have no adverse effect on SSH Tectia Server.
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Updated: January 08, 2008
Immediate work-around is to remove the ssh-signer binary which is located in /opt/tectia/libexec/.
Note that this will disable host-based authentication of the SSH Tectia Client.
This has no adverse effect on SSH Tectia Server installation.
You can also update your system to SSH Tectia client/server solution 5.2.4 or 5.3.6, which will fix the vulnerability.
Once the update has been made, you can safely use the product again.
The vendor has not provided us with any further information regarding this vulnerability.
Group | Score | Vector
Base | |
Temporal | |
Environmental | |
Thanks to Tuomas Siren for reporting this vulnerability.
This document was written by Will Dormann.
CVE IDs: | CVE-2007-5616
Severity Metric: | 2.25
Date Public: | 2008-01-08
Date First Published: | 2008-01-08
Date Last Updated: | 2008-01-14 14:53 UTC
Document Revision: | 6