{"vuid":"VU#419241","idnumber":"419241","name":"Multiple vendor SFTP logging format string vulnerability","keywords":["sftp","arbitrary code execution","logging function","sftp-server"],"overview":"A logging function used by multiple vendors' SFTP servers contains a format string vulnerability, which may allow an authorized remote attacker to execute arbitrary code or cause a denial of service.","clean_desc":"SFTP SFTP (Secure FTP) is a file transfer application that uses SSH for encryption. The problem The logging function of several vendors' SFTP servers contains a format string vulnerability. Vulnerable products include: Reflection for Secure IT UNIX Server version 6.0\nReflection for Secure IT Windows Server version 6.0\nF-Secure SSH Server for Windows version 5.x\nF-Secure SSH Server for UNIX version 3.x through 5.x","impact":"A remote authenticated attacker may be able to execute arbitrary code with the privilege of the user or cause a denial of service to the SSH server.","resolution":"Upgrade or patch AttachmateWRQ Reflection for Secure IT and F-Secure SSH Server users should install an upgrade, as specified in WRQ Tech Note 1882.","workarounds":"According to the WRQ Tech note, the following workaround may prevent exploitation of the vulnerability: On UNIX Servers 1. Edit the SSH server's sshd2_config file: 1. Change the line subsystem-sftp internal://sftp-server to subsystem-sftp sftp-server Note: This change disallows the use of chroot. 2. Comment out the SftpSyslogFacility keyword line. Note: The line should begin with two \"pound\" signs, as in this example: ## SftpSyslogFacility LOCAL7 2. Restart the SSH server to read the changes in the configuration file. On Windows Servers\nThe only workaround is to disable the sftp subsystem as follows: 1. Edit the SSH server's sshd2_config file and comment out the subsystem-sftp line. Note: The line should begin with two \"pound\" signs, as in this example: ## subsystem-sftp \"fsshsftpd.exe\" 2. Restart the SSH server to read the change in the configuration file.","sysaffected":"","thanks":"Thanks to WRQ for reporting this vulnerability.","author":"This document was written by Will Dormann.","public":["h","t","t","p",":","/","/","s","u","p","p","o","r","t",".","w","r","q",".","c","o","m","/","t","e","c","h","d","o","c","s","/","1","8","8","2",".","h","t","m","l"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2006-01-13T18:25:53Z","publicdate":"2006-02-13T00:00:00Z","datefirstpublished":"2006-02-13T21:20:26Z","dateupdated":"2006-02-15T14:51:25Z","revision":10,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"10","cam_exploitation":"0","cam_internetinfrastructure":"15","cam_population":"6","cam_impact":"12","cam_easeofexploitation":"10","cam_attackeraccessrequired":"10","cam_scorecurrent":"3.375","cam_scorecurrentwidelyknown":"4.725","cam_scorecurrentwidelyknownexploited":"7.425","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":3.375,"vulnote":null}