Title: SSH 1.2.27 Kerberos Ticket Cache Exposure Vulnerability
Severity: MODERATE
Description:
A vulnerability exists in SSH 1.2.27, when compiled with Kerberos support. When logging in, the sshd process sets the KRB5CCNAME to 'none'. This environment variable is used by Kerberos to set the location of the credential cache. Normally, the cache is created in /tmp, or somewhere on the local filesystem, to prevent Kerberos credentials from being passed over the network through NFS, or some other insecure protocol. As the environment variable does not explicitly set a path, it is always ".". As such, if a user uses Kerberos at any point during their ssh session (from the machine they ssh'd in to), a file named 'none' will be created in whatever directory they are in, containing their Kerberos credentials. This may lead to this data residing on an NFS volume, which could allow others to read it, or may create it in a location where other users have access to it.
Affected Products:
- SSH Communications Security SSH 1.2.27
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
