TITLE:
WRQ Reflection Secure IT SFTP Format String Vulnerability
SECUNIA ADVISORY ID:
SA18843
VERIFY ADVISORY:
http://secunia.com/advisories/18843/
CRITICAL:
Moderately critical
IMPACT:
System access
WHERE:
>From remote
SOFTWARE:
WRQ Reflection for Secure IT UNIX Server 6.x
http://secunia.com/product/8068/
F-Secure SSH for Windows 5.x
http://secunia.com/product/188/
F-Secure SSH for UNIX 5.x
http://secunia.com/product/8069/
F-Secure SSH for UNIX 4.x
http://secunia.com/product/8076/
F-Secure SSH for UNIX 3.x
http://secunia.com/product/2290/
WRQ Reflection for Secure IT Windows Server 6.x
http://secunia.com/product/5642/
DESCRIPTION:
A vulnerability has been reported in Reflection Secure IT, which can
be exploited by malicious users to compromise a vulnerable system.
The vulnerability is caused due to a format string error in the SFTP
component during logging of accessed file names. This can potentially
be exploited to execute arbitrary code via a file with specially
crafted file name.
Successful exploitation requires that a user is authenticated to the
SFTP service.
SOLUTION:
Update to a fixed version.
– Windows Server –
Reflection for Secure IT Windows Server:
Update to version 6.0 build 38.
F-Secure SSH Server for Windows:
Update to version 5.3 build 35.
– UNIX Server –
Reflection for Secure IT UNIX Server:
Update to version 6.0.0.9.
F-Secure SSH Server for UNIX:
Update to version 5.0.8.
PROVIDED AND/OR DISCOVERED BY:
Reported by vendor.
ORIGINAL ADVISORY:
WRQ:
http://support.wrq.com/techdocs/1882.html
OTHER REFERENCES:
US-CERT VU#419241:
http://www.kb.cert.org/vuls/id/419241
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.