Technical Description

A vulnerability has been identified in Reflection for Secure IT and F-Secure SSH Servers, which could be exploited by attackers to execute arbitrary commands or cause a denial of service. This flaw is due to a format string error in the SFTP logging functionality that fails to properly handle a specially crafted name file, which could be exploited by malicious users to cause a denial of service or by remote unauthenticated attackers to compromise a vulnerable server by convincing a user to "stat" a malicious file.

Affected Products

Reflection for Secure IT UNIX Server versions prior to 6.0.0.9
Reflection for Secure IT Windows Server versions prior to 6.0 build 38
F-Secure SSH Server for Windows versions prior to 5.3 build 35
F-Secure SSH Server for UNIX versions prior to 5.0.8

Solution

Reflection for Secure IT Windows Server - Upgrade to version 6.0 build 38 :
https://download.wrq.com/Upgrades/DownloadAgreement.aspx?code=RSSW
F-Secure SSH Server for Windows - Upgrade to version 5.3 build 35 :
http://patches.download.wrq.com/patchsearch.asp
Reflection for Secure IT UNIX Server - Upgrade to version 6.0.0.9 :
https://download.wrq.com/Upgrades/DownloadAgreement.aspx?code=RSSU
F-Secure SSH Server for UNIX - Upgrade to version 5.0.8 :
http://patches.download.wrq.com/patchsearch.asp

References

http://www.vupen.com/english/advisories/2006/0555
http://support.wrq.com/techdocs/1882.html

Credits

Vulnerability reported by the vendor

ChangeLog

2006-02-13 : Initial release

Vulnerability Management

Subscribe to VUPEN VNS and receive real-time alerts when new advisories or patches relevant to your systems and network configurations are available.

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.