(The Vendor Responds) Re: Secure Computing's SafeWord Agent for SSH Gives Remote Users Root Level Access to the SSH Server
SecurityTracker Alert ID: 1002852|
SecurityTracker URL: http://securitytracker.com/id/1002852
(Links to External Site)
Date: Nov 29 2001
Execution of arbitrary code via network, Root access via network|
Vendor Confirmed: Yes |
Secure Computing's SafeWord Agent for SSH, which was available to some customers for use with the SafeWord PremierAccess product, is based on SSH code that is vulnerable to the CRC-32 compenstation attack security flaw. The underlying SSH server flaw allows remote users to gain root level access to the SSH server.|
The vendor has provided a response to our original report which may have incorrectly implied that SafeWord PremierAccess was vulnerable.
The vendor notes that the SafeWord Agent for SSH is not an SSH server, but may be used along with a (vulnerable) SSH server. This Agent was made available via the Secure Computing web site and was not bundled with SafeWord PremierAccess. The Agent has since been removed from the web site and Secure Computing offers an alternative for customers that want to use SafeWord with an SSH server (see the Solution section). There is no flaw in SafeWord PremierAccess.
See the Source Message for the vendor's full response.
A remote user can gain root level access to the server running SafeWord Agent for SSH (due to the underlying flaw in the SSH server that would be running on that system). SafeWord PremierAccess is not affected.|
Secure Computing recommends that if a customer is currently using or wishes to use a SSH server and protect it with SafeWord PremierAccess, they should use OpenSSH and use the SafeWord PremierAccess Agent for PAM. SafeWord PremierAccess operates with OpenSSH through the Pluggable Authentication Module (PAM) framework. Secure Computing has a detailed application note on how to use OpenSSH and the SafeWord PAM agent for authentication with SafeWord PremierAccess. Please go to|
http://www.securecomputing.com/index.cfm?sKey=827 to access this application note.
Vendor URL: www.securecomputing.com/index.cfm?sKey=643 (Links to External Site)
UNIX (Solaris - SunOS), Windows (2000)|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Date: Wed, 28 Nov 2001 21:30:34 -0500|
Subject: vendor response to a vulnerability report
This is Secure Computing's response to a security alert that was posted
on www.securitytracker.com on Nov 23, 2001. The posting was related
specifically to the SafeWord Agent for SSH (secure shell), but implied
there was a security risk directly tied to SafeWord PremierAccess, which is
false. Secure Computing has since removed the SafeWord Agent for SSH from the
Secure Computing public web site and is longer available from any
Clarification on some misrepresentation in the original posting:
1) The SafeWord Agent for SSH was not an SSH server, it in fact was only
made up of modified files that were needed for a software build process.
This build process would then create the necessary binary files to allow
a SSH server to communicate with a SafeWord authentication server.
Unfortunately those modified files were based on SSH.com's ssh v1.2.27
which is possibly known to cause a vulnerability on SSH servers. Secure
Computing has since removed these modified files from our web site and regrets any inconvenience it may have caused our customers.
2) SafeWord PremierAccess or any other commercially available product from
Secure Computing has never shipped with the SafeWord Agent for SSH, and in
fact this code is not part of the currently shipping SafeWord PremierAccess
product nor is the SafeWord SSH agent on any of the PremierAccess CD's
available today, including the SafeWord Deployment CD, which includes
several different agents. The SafeWord SSH agent was only made available for
download from the SCC web site for customers who wished to build binary
files for use with SafeWord authentication servers. Again these files
have since been removed from the Secure Computing web site and can no longer
3) SafeWord PremierAccess servers were never the cause of any security
vulnerabilities mentioned in this alert and PremierAccess continues to
set the standard in authentication and access control functionality.
It is recommended that if a customer is currently using or wishes to use
a SSH server and protect it with SafeWord PremierAccess, they should use
OpenSSH and use the SafeWord PremierAccess Agent for PAM. SafeWord
PremierAccess operates with OpenSSH through the Pluggable Authentication
Module (PAM) framework. Secure Computing has a detailed application note
on how to use OpenSSH and the SafeWord PAM agent for authentication with
SafeWord PremierAccess. Please go to
http://www.securecomputing.com/index.cfm?sKey=827 to access this