SSH Communications Security >> http://www.ssh.com
=======================================================================
CPNI Advisory Reference CPNI-957037
http://www.cpni.gov.uk/Products/3716.aspx
A security issue affecting also the SSH Tectia client/server solution has been found. This issue can create a vulnerability in systems that have the SSH Tectia Client or SSH Tectia Server package installed.
DESCRIPTION
The attacker that is able to listen an encrypted Secure Shell (SSH) connection and actively steal the network connection (TCP) can in some situations obtain up to 4 bytes of cleartext data from the session. The attack attempt causes the attacked connection to be disconnected immediately. The attack works only against protocol sessions that are encrypted using a block cipher algorithm in the cipher-block chaining (CBC) mode. Exploiting this vulnerability is very difficult.
AFFECTED PRODUCTS
* SSH Tectia Client and Server and ConnectSecure 6.0.4 and older in the 6.x series
* SSH Tectia Client and Server and Connector 5.3.8 and older in the 5.3.x series
* SSH Tectia Client and Server and Connector 5.2.4 and older in the 5.x series
* SSH Tectia Client and Server and Connector 4.4.11 and older in the 4.x series
* SSH Tectia Server for Linux on IBM System z 6.0.4
* SSH Tectia Server for IBM z/OS 6.0.1 and 6.0.0
* SSH Tectia Server for IBM z/OS 5.5.1 and older
* SSH Tectia Client 4.3.3-J (Japanese) and older in the 4.x-J series
* SSH Tectia Client 4.3.10-K (Korean) and older in the 4.x-K series
PRODUCTS NOT AFFECTED
* SSH Tectia Client and Server and ConnectSecure 6.0.5
* SSH Tectia Client and Server and Connector 5.3.9
* SSH Tectia Client and Server and Connector 5.2.5
* SSH Tectia Client and Server and Connector 4.4.12
* SSH Tectia Server for Linux on IBM System z 6.0.5
* SSH Tectia Server for IBM z/OS 6.0.2
* SSH Tectia Server for IBM z/OS 5.5.2
* SSH Tectia Client 4.3.4-J (Japanese)
FIX / WORKAROUND
An immediate workaround is to refrain from using CBC mode block ciphers in Secure Shell (SSH) sessions. In practice this can be achieved with the SSH Tectia products by using either CryptiCore or Arcfour as the encryption algorithm.
We recommend that you also update your system to an SSH Tectia client/server solution version which is not vulnerable. Once the update has been made, you can safely use the product again.
UPDATING SSH TECTIA CLIENT AND SSH TECTIA SERVER
If you are a Maintenance Customer, you can download the installation packages from SSH Customer Download Center at https://downloads.ssh.com. The products provided here include valid license files.
If you are not a currently active Maintenance Customer, you can reinstate your Maintenance by contacting your SSH Sales office (go to http://www.ssh.com for contact info).
SSH Communications Security apologizes for any inconvenience that this vulnerability may have caused. We take security of the systems of our customers very seriously and do our utmost to provide secure software with minimum defects. We strongly urge all customers to consider the implications of this vulnerability carefully and to make an educated decision on actions.
=======================================================================
# SSH Security Alert Mailing List #
-----------------------------------------------------------------------
This e-mail has been sent to the users of SSH products and others who have been in contact with us in the past and who have agreed that we send you security alerts. To unsubscribe from the mailing list, send a blank e-mail to ssh-news-alert-unsubscribe@lists.ssh.com from the e-mail account you wish to unsubscribe, or visit http://www.ssh.com/company/newsroom/unsubscribe.mpl .
=======================================================================
Sincerely,
SSH Communications Security >> http://www.ssh.com
Unsubscribe from this newsletter.