SSH 1.2.27 Kerberos Ticket Cache Exposure Vulnerability

A vulnerability exists in SSH 1.2.27, when compiled with Kerberos support. When logging in, the sshd process sets the KRB5CCNAME to 'none'. This environment variable is used by Kerberos to set the location of the credential cache. Normally, the cache is created in /tmp, or somewhere on the local filesystem, to prevent Kerberos credentials from being passed over the network through NFS, or some other insecure protocol. As the environment variable does not explicitly set a path, it is always ".". As such, if a user uses Kerberos at any point during their ssh session (from the machine they ssh'd in to), a file named 'none' will be created in whatever directory they are in, containing their Kerberos credentials. This may lead to this data residing on an NFS volume, which could allow others to read it, or may create it in a location where other users have access to it.


Privacy Statement
Copyright 2010, SecurityFocus