What is the vulnerability?
It is a local privilege escalation exploit.
Which Tectia versions are vulnerable?
All Tectia Client and Server versions running on Windows (before version 6.4.19) are vulnerable.
I’m only running Tectia on UNIX, Linux or z/OS, does this affect me?
No, only Windows installations are vulnerable.
I’m using ConnectSecure, is it affected?
Yes. ConnectSecure running on Windows is vulnerable.
I’m using Universal SSH Key Manager, PrivX, Tectia Manager or CryptoAuditor, are they affected?
How likely is it that my system has been a target?
The exploit requires certain non-standard conditions, and that a malicious user is able to access the target system. This was disclosed to us responsibly by Etienne Côté from KPMG-Egyde <firstname.lastname@example.org>. We are not aware of any system having been a target of a malicious attack.
What do I need to do?
Please upgrade all Tectia Clients and Servers that are running under Windows to version 6.4.19.
Where can I download Tectia 6.4.19?
I have version 6.4.18, how safe is it to upgrade to 6.4.19?
6.4.19 is a patch release, so it only contains security fixes to the vulnerabilities, plus a few important fixes where the connection would fail in some corner cases.
I have been running 6.4.18 as a LTS version how does this affect Long Term Support?
Version 6.4.19 is part of the 6.4 LTS stream, so the LTS contract will be transferred to it. It will be valid until March 2023.
I have version 6.4.17, what do I do?
Upgrade to 6.4.19. Version 6.4.18 is widely used and stable and it has only one known regression, which is also fixed in 6.4.19. Please see the server
I have version 6.4.16 or earlier, what do I do?
These versions are out of support. Please upgrade to 6.4.19.
I have a very old version (6.3 or earlier), what do I do?
Please upgrade to 6.4.19; see this link
for details on version compatibility.