ID CVE-2005-2798
Summary sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled, allows GSSAPI credentials to be delegated to clients who log in using non-GSSAPI methods, which could cause those credentials to be exposed to untrusted users or hosts.
References
Vulnerable Configurations
  • OpenBSD OpenSSH 3.0
    cpe:2.3:a:openbsd:openssh:3.0
  • OpenBSD OpenSSH 3.0.1
    cpe:2.3:a:openbsd:openssh:3.0.1
  • OpenBSD OpenSSH 3.0.1 p1
    cpe:2.3:a:openbsd:openssh:3.0.1p1
  • OpenBSD OpenSSH 3.0.2
    cpe:2.3:a:openbsd:openssh:3.0.2
  • OpenBSD OpenSSH 3.0.2p1
    cpe:2.3:a:openbsd:openssh:3.0.2p1
  • OpenBSD OpenSSH 3.0 p1
    cpe:2.3:a:openbsd:openssh:3.0p1
  • OpenBSD OpenSSH 3.1
    cpe:2.3:a:openbsd:openssh:3.1
  • OpenBSD OpenSSH 3.1 p1
    cpe:2.3:a:openbsd:openssh:3.1p1
  • OpenBSD OpenSSH 3.2
    cpe:2.3:a:openbsd:openssh:3.2
  • OpenBSD OpenSSH 3.2.2 p1
    cpe:2.3:a:openbsd:openssh:3.2.2p1
  • OpenBSD OpenSSH 3.2.3 p1
    cpe:2.3:a:openbsd:openssh:3.2.3p1
  • OpenBSD OpenSSH 3.3
    cpe:2.3:a:openbsd:openssh:3.3
  • OpenBSD OpenSSH 3.3 p1
    cpe:2.3:a:openbsd:openssh:3.3p1
  • OpenBSD OpenSSH 3.4
    cpe:2.3:a:openbsd:openssh:3.4
  • OpenBSD OpenSSH 3.4 p1
    cpe:2.3:a:openbsd:openssh:3.4p1
  • OpenBSD OpenSSH 3.5
    cpe:2.3:a:openbsd:openssh:3.5
  • OpenBSD OpenSSH 3.5 p1
    cpe:2.3:a:openbsd:openssh:3.5p1
  • OpenBSD OpenSSH 3.6
    cpe:2.3:a:openbsd:openssh:3.6
  • OpenBSD OpenSSH 3.6.1
    cpe:2.3:a:openbsd:openssh:3.6.1
  • OpenBSD OpenSSH 3.6.1 p1
    cpe:2.3:a:openbsd:openssh:3.6.1p1
  • OpenBSD OpenSSH 3.6.1 p2
    cpe:2.3:a:openbsd:openssh:3.6.1p2
  • OpenBSD OpenSSH 3.7
    cpe:2.3:a:openbsd:openssh:3.7
  • OpenBSD OpenSSH 3.7.1
    cpe:2.3:a:openbsd:openssh:3.7.1
  • OpenBSD OpenSSH 3.7.1 p2
    cpe:2.3:a:openbsd:openssh:3.7.1p2
  • OpenBSD OpenSSH 3.8
    cpe:2.3:a:openbsd:openssh:3.8
  • OpenBSD OpenSSH 3.8.1
    cpe:2.3:a:openbsd:openssh:3.8.1
  • OpenBSD OpenSSH 3.8.1 p1
    cpe:2.3:a:openbsd:openssh:3.8.1p1
  • OpenBSD OpenSSH 3.9
    cpe:2.3:a:openbsd:openssh:3.9
  • OpenBSD OpenSSH 3.9.1
    cpe:2.3:a:openbsd:openssh:3.9.1
  • OpenBSD OpenSSH 3.9.1 p1
    cpe:2.3:a:openbsd:openssh:3.9.1p1
  • OpenBSD OpenSSH Portable 4.0.p1
    cpe:2.3:a:openbsd:openssh:4.0p1
  • OpenBSD OpenSSH Portable 4.1.p1
    cpe:2.3:a:openbsd:openssh:4.1p1
CVSS
Base: 5.0 (as of 06-09-2005 - 13:17)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
nessus via4
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-209-1.NASL
    description An information disclosure vulnerability has been found in the SSH server. When the GSSAPIAuthentication option was enabled, the SSH server could send GSSAPI credentials even to users who attempted to log in with a method other than GSSAPI. This could inadvertently expose these credentials to an untrusted user. Please note that this does not affect the default configuration of the SSH server. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-08-15
    plugin id 20626
    published 2006-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20626
    title Ubuntu 4.10 / 5.04 : openssh vulnerability (USN-209-1)
  • NASL family HP-UX Local Security Checks
    NASL id HPUX_PHSS_34567.NASL
    description s700_800 11.04 Virtualvault 4.6 OpenSSH update : A potential security vulnerability has been identified with HP-UX running Secure Shell. The vulnerability could be remotely exploited to allow a remote unauthorized user to create a Denial of Service (DoS).
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 21714
    published 2006-06-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21714
    title HP-UX PHSS_34567 : HP-UX Secure Shell Remote Denial of Service (DoS) (HPSBUX02090 SSRT051058 rev.2)
  • NASL family HP-UX Local Security Checks
    NASL id HPUX_PHSS_34566.NASL
    description s700_800 11.04 Virtualvault 4.7 OpenSSH update : A potential security vulnerability has been identified with HP-UX running Secure Shell. The vulnerability could be remotely exploited to allow a remote unauthorized user to create a Denial of Service (DoS).
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 21713
    published 2006-06-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21713
    title HP-UX PHSS_34566 : HP-UX Secure Shell Remote Denial of Service (DoS) (HPSBUX02090 SSRT051058 rev.2)
  • NASL family Misc.
    NASL id JUNIPER_NSM_2012_1.NASL
    description According to the version of one or more Juniper NSM servers running on the remote host, it is potentially vulnerable to multiple vulnerabilities, the worst of which may allow an authenticated user to trigger a denial of service condition or execute arbitrary code.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 69872
    published 2013-09-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69872
    title Juniper NSM Servers < 2012.1 Multiple Vulnerabilities
  • NASL family Misc.
    NASL id OPENSSH_42.NASL
    description According to its banner, the version of OpenSSH installed on the remote host has the following vulnerabilities : - X11 forwarding may be enabled unintentionally when multiple forwarding requests are made on the same session, or when an X11 listener is orphaned after a session goes away. (CVE-2005-2797) - GSSAPI credentials may be delegated to users who log in using something other than GSSAPI authentication if 'GSSAPIDelegateCredentials' is enabled. (CVE-2005-2798) - Attempting to log in as a nonexistent user causes the authentication process to hang, which could be exploited to enumerate valid user accounts. Only OpenSSH on Mac OS X 10.4.x is affected. (CVE-2006-0393) - Repeatedly attempting to log in as a nonexistent user could result in a denial of service. Only OpenSSH on Mac OS X 10.4.x is affected. (CVE-2006-0393)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 19592
    published 2005-09-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=19592
    title OpenSSH < 4.2 Multiple Vulnerabilities
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2005-172.NASL
    description Sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled, allows GSSAPI credentials to be delegated to clients who log in using non-GSSAPI methods, which could cause those credentials to be exposed to untrusted users or hosts. GSSAPI is only enabled in versions of openssh shipped in LE2005 and greater. The updated packages have been patched to correct this issue.
    last seen 2017-10-29
    modified 2012-09-07
    plugin id 20426
    published 2006-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20426
    title MDKSA-2005:172 : openssh
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2005-527.NASL
    description Updated openssh packages that fix a security issue, bugs, and add support for recording login user IDs for audit are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. An error in the way OpenSSH handled GSSAPI credential delegation was discovered. OpenSSH as distributed with Red Hat Enterprise Linux 4 contains support for GSSAPI user authentication, typically used for supporting Kerberos. On OpenSSH installations which have GSSAPI enabled, this flaw could allow a user who sucessfully authenticates using a method other than GSSAPI to be delegated with GSSAPI credentials. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-2798 to this issue. Additionally, the following bugs have been addressed : The ssh command incorrectly failed when it was issued by the root user with a non-default group set. The sshd daemon could fail to properly close the client connection if multiple X clients were forwarded over the connection and the client session exited. The sshd daemon could bind only on the IPv6 address family for X forwarding if the port on IPv4 address family was already bound. The X forwarding did not work in such cases. This update also adds support for recording login user IDs for the auditing service. The user ID is attached to the audit records generated from the user's session. All users of openssh should upgrade to these updated packages, which contain backported patches to resolve these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 67028
    published 2013-06-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67028
    title CentOS 4 : openssh (CESA-2005:527)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-527.NASL
    description Updated openssh packages that fix a security issue, bugs, and add support for recording login user IDs for audit are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. An error in the way OpenSSH handled GSSAPI credential delegation was discovered. OpenSSH as distributed with Red Hat Enterprise Linux 4 contains support for GSSAPI user authentication, typically used for supporting Kerberos. On OpenSSH installations which have GSSAPI enabled, this flaw could allow a user who sucessfully authenticates using a method other than GSSAPI to be delegated with GSSAPI credentials. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-2798 to this issue. Additionally, the following bugs have been addressed : The ssh command incorrectly failed when it was issued by the root user with a non-default group set. The sshd daemon could fail to properly close the client connection if multiple X clients were forwarded over the connection and the client session exited. The sshd daemon could bind only on the IPv6 address family for X forwarding if the port on IPv4 address family was already bound. The X forwarding did not work in such cases. This update also adds support for recording login user IDs for the auditing service. The user ID is attached to the audit records generated from the user's session. All users of openssh should upgrade to these updated packages, which contain backported patches to resolve these issues.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 19990
    published 2005-10-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=19990
    title RHEL 4 : openssh (RHSA-2005:527)
  • NASL family Misc.
    NASL id SUNSSH_PLAINTEXT_RECOVERY.NASL
    description The version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them.
    last seen 2019-02-21
    modified 2018-07-31
    plugin id 55992
    published 2011-08-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55992
    title SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure
oval via4
  • accepted 2006-02-22T08:27:00.000-04:00
    class vulnerability
    contributors
    name Robert L. Hollis
    organization ThreatGuard, Inc.
    description sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled, allows GSSAPI credentials to be delegated to clients who log in using non-GSSAPI methods, which could cause those credentials to be exposed to untrusted users or hosts.
    family unix
    id oval:org.mitre.oval:def:1345
    status accepted
    submitted 2006-01-11T12:55:00.000-04:00
    title Leaking GSSAPI Credentials Vulnerability (B.11.23)
    version 32
  • accepted 2006-02-22T08:27:00.000-04:00
    class vulnerability
    contributors
    name Robert L. Hollis
    organization ThreatGuard, Inc.
    description sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled, allows GSSAPI credentials to be delegated to clients who log in using non-GSSAPI methods, which could cause those credentials to be exposed to untrusted users or hosts.
    family unix
    id oval:org.mitre.oval:def:1566
    status accepted
    submitted 2006-01-11T12:55:00.000-04:00
    title Leaking GSSAPI Credentials Vulnerability (B.11.00/B.11.11)
    version 31
  • accepted 2013-04-29T04:21:34.298-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 4
      oval oval:org.mitre.oval:def:11831
    • comment CentOS Linux 4.x
      oval oval:org.mitre.oval:def:16636
    • comment Oracle Linux 4.x
      oval oval:org.mitre.oval:def:15990
    description sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled, allows GSSAPI credentials to be delegated to clients who log in using non-GSSAPI methods, which could cause those credentials to be exposed to untrusted users or hosts.
    family unix
    id oval:org.mitre.oval:def:9717
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled, allows GSSAPI credentials to be delegated to clients who log in using non-GSSAPI methods, which could cause those credentials to be exposed to untrusted users or hosts.
    version 23
redhat via4
advisories
rhsa
id RHSA-2005:527
refmap via4
bid 14729
confirm
hp
  • HPSBUX02090
  • SSRT051058
mandriva MDKSA-2005:172
mlist [openssh-unix-announce] 20050901 Announce: OpenSSH 4.2 released
osvdb 19141
sco SCOSA-2005.53
sectrack 1014845
secunia
  • 16686
  • 17077
  • 17245
  • 18010
  • 18406
  • 18507
  • 18661
  • 18717
suse SUSE-SR:2006:003
ubuntu USN-209-1
vupen ADV-2006-0144
xf hpux-secure-shell-dos(24064)
statements via4
contributor Joshua Bressers
lastmodified 2006-11-20
organization Red Hat
statement This issue does not affect Red Hat Enterprise Linux 2.1 and 3. This flaw was fixed in Red Hat Enterprise Linux 4 via errata RHSA-2005:527: http://rhn.redhat.com/errata/RHSA-2005-527.html
Last major update 07-12-2016 - 22:00
Published 06-09-2005 - 13:03
Last modified 19-10-2018 - 11:33
Back to Top