F-Secure SSH Server Password Authentication Policy Evasion Vulnerability

Bugtraq ID:	9824
Class:	Design Error
CVE:
Remote:	Yes
Local:	No
Published:	Mar 09 2004 12:00AM
Updated:	Mar 09 2004 12:00AM
Credit:	This issue was reported via an F-Secure security advisory. The individual responsible for its discovery is currently unknown.
Vulnerable:	F-Secure SSH Server 3.1 .0 F-Secure SSH Server 3.0.9 F-Secure SSH Server 3.0.8 F-Secure SSH Server 3.0.7 F-Secure SSH Server 3.0.6 F-Secure SSH Server 3.0.5 F-Secure SSH Server 3.0.4 F-Secure SSH Server 3.0.3 F-Secure SSH Server 3.0.2 F-Secure SSH Server 3.0.1 F-Secure SSH Server 3.0 .0
Not Vulnerable:	F-Secure SSH Server 3.1 .0 build 9

F-Secure SSH Server Password Authentication Policy Evasion Vulnerability

The F-Secure SSH server is vulnerable to a password authentication policy evasion vulnerability. This issue is due to a design error that potentially allows a user to use password authentication when the SSH server is configured to deny it.

This issue may give rise to weak password issues, as administrators that believe that password authentication is disallowed may not be enforcing strong password policies.

F-Secure SSH Server Password Authentication Policy Evasion Vulnerability

No exploit is required to leverage this issue.

F-Secure SSH Server Password Authentication Policy Evasion Vulnerability

Solution:
The vendor has released version 3.1.0 build 9 dealing with this issue. Please see the reference section to contact the vendor for details on obtaining the upgrade.

F-Secure SSH Server Password Authentication Policy Evasion Vulnerability

References:

• Vendor Home Page (F-Secure)