COMMAND

    ssh

SYSTEMS AFFECTED

    HP-UX 10.20 and SSH 1.2.25

PROBLEM

    Following  is   based  on   S.A.F.E.R.  Security   Bulletin.     A
    vulnerability exists in  HP-UX systems (tested  on 10.20 that  was
    converted  to   "trusted  system")   using  SSH   1.2.25.     When
    administrator  creates  a  new  user  using  SAM,  no  password is
    assigned, but a random number is generated which the user needs to
    input upon first login.   However, if user connects via  SSH using
    newly created  username, no  password authentication  is performed
    and user automatically drops into shell.

    This can be especially dangerous on systems where users are  added
    on a daily basis (universities for example) and other users  aware
    of this bug  could gain access  to newly created  accounts (remote
    users could gain information about new users using finger command,
    for example).

SOLUTION

    SSH 1.2.26  is available  for over  a month  now (this problem has
    been fixed).   Also, version  2.0 of  SSH is  released (completely
    rewritten).  They are available for download at:

        ftp://ftp.cs.hut.fi/pub/ssh/