What is the vulnerability?
It is a local privilege escalation exploit.
Which Tectia versions are vulnerable?
All Tectia Client and Server versions running on Windows (before version 6.4.19) are vulnerable.
I’m only running Tectia on UNIX, Linux or z/OS, does this affect me?
No, only Windows installations are vulnerable.
I’m using ConnectSecure, is it affected?
ConnectSecure running on Windows is vulnerable.
I’m using Universal SSH Key Manager, PrivX, Tectia Manager or CryptoAuditor, are they affected?
No.
How likely is it that my system has been a target?
The exploit requires that a malicious user is able to access the target system. This vulnerability was discovered internally by SSH.COM. There is no evidence of any system having been a target of an attack, and we consider it unlikely.
What do I need to do?
Please upgrade all Tectia Clients and Servers that are running under Windows to version 6.4.19.
Where can I download Tectia 6.4.19?
I have version 6.4.18, how safe is it to upgrade to 6.4.19?
6.4.19 is a patch release, so it only contains security fixes to the vulnerabilities, plus a few important fixes where the connection would fail in some corner cases.
I have been running 6.4.18 as a LTS version how does this affect Long Term Support?
Version 6.4.19 is part of the 6.4 LTS stream, so the LTS contract will be transferred to it. It will be valid until March 2023.
I have version 6.4.17, what do I do?
Upgrade to 6.4.19. Version 6.4.18 is widely used and stable and it has only one known regression, which is also fixed in 6.4.19. Please see the
server and
client release notes.
I have version 6.4.16 or earlier, what do I do?
These versions are out of support. Please upgrade to 6.4.19.
I have a very old version (6.3 or earlier), what do I do?
Please upgrade to 6.4.19; see
this link for details on version compatibility.