SSH Kerberos tickets disclosure
| ssh-kerberos-tickets-disclosure (4903) |  Medium Risk |
Description:
SSH (Secure Shell) could allow an attacker to retrieve Kerberos tickets of other users. When a user logs in using SSH, the user's KRB5CCNAME environment variable is set to the value "none". If Kerberos is used during the session, Kerberos tickets are stored in a file named "none" in the current directory. If insecure file-sharing protocols such as NFS and SMB are used, an attacker can retrieve other users' Kerberos tickets.
Consequences:
Obtain Information
Remedy:
Upgrade to the latest version of SSH (1.2.28 or later), available from the SSH Download site. See References.
References:
- BugTraq Mailing List, Sat Jul 01 2000 - 00:11:09 CDT: Kerberos security vulnerability in SSH-1.2.27.
- SSH Communications Security Web site: SSH Secure Shell Download.
- BID-1426: SSH 1.2.27 Kerberos Ticket Cache Exposure Vulnerability
- CVE-2000-0575: SSH 1.2.27 with Kerberos authentication support stores Kerberos tickets in a file which is created in the current directory of the user who is logging in, which could allow remote attackers to sniff the ticket cache if the home directory is installed on NFS.
Platforms Affected:
- SSH SSH 1.2.27
Reported:
Jun 30, 2000
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net