ID CVE-2012-0814
Summary The auth_parse_options function in auth-options.c in sshd in OpenSSH before 5.7 provides debug messages containing authorized_keys command options, which allows remote authenticated users to obtain potentially sensitive information by reading these messages, as demonstrated by the shared user account required by Gitolite. NOTE: this can cross privilege boundaries because a user account may intentionally have no shell or filesystem access, and therefore may have no supported way to read an authorized_keys file in its own home directory.
References
Vulnerable Configurations
  • OpenBSD OpenSSH 5.6
    cpe:2.3:a:openbsd:openssh:5.6
  • OpenBSD OpenSSH 5.5
    cpe:2.3:a:openbsd:openssh:5.5
  • OpenBSD OpenSSH 5.4
    cpe:2.3:a:openbsd:openssh:5.4
  • OpenBSD OpenSSH 5.3
    cpe:2.3:a:openbsd:openssh:5.3
  • OpenBSD OpenSSH 5.2
    cpe:2.3:a:openbsd:openssh:5.2
  • OpenBSD OpenSSH 5.1
    cpe:2.3:a:openbsd:openssh:5.1
  • OpenBSD OpenSSH 5.0
    cpe:2.3:a:openbsd:openssh:5.0
  • OpenBSD OpenSSH 4.6
    cpe:2.3:a:openbsd:openssh:4.6
  • OpenBSD OpenSSH 4.5
    cpe:2.3:a:openbsd:openssh:4.5
  • OpenBSD OpenSSH Portable 4.0.p1
    cpe:2.3:a:openbsd:openssh:4.0p1
  • OpenBSD OpenSSH Portable 4.2.p1
    cpe:2.3:a:openbsd:openssh:4.2p1
  • OpenBSD OpenSSH Portable 4.1.p1
    cpe:2.3:a:openbsd:openssh:4.1p1
  • OpenBSD OpenSSH Portable 4.3.p2
    cpe:2.3:a:openbsd:openssh:4.3p2
  • OpenBSD OpenSSH Portable 4.3.p1
    cpe:2.3:a:openbsd:openssh:4.3p1
  • OpenBSD OpenSSH Portable 4.4.p1
    cpe:2.3:a:openbsd:openssh:4.4p1
  • OpenBSD OpenSSH 4.0
    cpe:2.3:a:openbsd:openssh:4.0
  • OpenBSD OpenSSH 4.1
    cpe:2.3:a:openbsd:openssh:4.1
  • OpenBSD OpenSSH 4.2
    cpe:2.3:a:openbsd:openssh:4.2
  • OpenBSD OpenSSH 4.3
    cpe:2.3:a:openbsd:openssh:4.3
  • OpenBSD OpenSSH 4.4
    cpe:2.3:a:openbsd:openssh:4.4
  • OpenBSD OpenSSH 4.9
    cpe:2.3:a:openbsd:openssh:4.9
  • OpenBSD OpenSSH 4.8
    cpe:2.3:a:openbsd:openssh:4.8
  • OpenBSD OpenSSH 4.7
    cpe:2.3:a:openbsd:openssh:4.7
  • OpenBSD OpenSSH 3.7.1 p2
    cpe:2.3:a:openbsd:openssh:3.7.1p2
  • OpenBSD OpenSSH 3.8
    cpe:2.3:a:openbsd:openssh:3.8
  • OpenBSD OpenSSH 3.8.1
    cpe:2.3:a:openbsd:openssh:3.8.1
  • OpenBSD OpenSSH 3.8.1 p1
    cpe:2.3:a:openbsd:openssh:3.8.1p1
  • OpenBSD OpenSSH 3.9
    cpe:2.3:a:openbsd:openssh:3.9
  • OpenBSD OpenSSH 3.9.1
    cpe:2.3:a:openbsd:openssh:3.9.1
  • OpenBSD OpenSSH 3.9.1 p1
    cpe:2.3:a:openbsd:openssh:3.9.1p1
  • OpenBSD OpenSSH 3.0.2p1
    cpe:2.3:a:openbsd:openssh:3.0.2p1
  • OpenBSD OpenSSH 3.1
    cpe:2.3:a:openbsd:openssh:3.1
  • OpenBSD OpenSSH 3.2
    cpe:2.3:a:openbsd:openssh:3.2
  • OpenBSD OpenSSH 3.1 p1
    cpe:2.3:a:openbsd:openssh:3.1p1
  • OpenBSD OpenSSH 3.0.1
    cpe:2.3:a:openbsd:openssh:3.0.1
  • OpenBSD OpenSSH 3.0 p1
    cpe:2.3:a:openbsd:openssh:3.0p1
  • OpenBSD OpenSSH 3.0.2
    cpe:2.3:a:openbsd:openssh:3.0.2
  • OpenBSD OpenSSH 3.0.1 p1
    cpe:2.3:a:openbsd:openssh:3.0.1p1
  • OpenBSD OpenSSH 3.0
    cpe:2.3:a:openbsd:openssh:3.0
  • OpenBSD OpenSSH 3.6.1 p2
    cpe:2.3:a:openbsd:openssh:3.6.1p2
  • OpenBSD OpenSSH 3.7
    cpe:2.3:a:openbsd:openssh:3.7
  • OpenBSD OpenSSH 3.7.1
    cpe:2.3:a:openbsd:openssh:3.7.1
  • OpenBSD OpenSSH 3.7.1 p1
    cpe:2.3:a:openbsd:openssh:3.7.1p1
  • OpenBSD OpenSSH 3.5 p1
    cpe:2.3:a:openbsd:openssh:3.5p1
  • OpenBSD OpenSSH 3.6
    cpe:2.3:a:openbsd:openssh:3.6
  • OpenBSD OpenSSH 3.6.1
    cpe:2.3:a:openbsd:openssh:3.6.1
  • OpenBSD OpenSSH 3.6.1 p1
    cpe:2.3:a:openbsd:openssh:3.6.1p1
  • OpenBSD OpenSSH 3.3 p1
    cpe:2.3:a:openbsd:openssh:3.3p1
  • OpenBSD OpenSSH 3.4
    cpe:2.3:a:openbsd:openssh:3.4
  • OpenBSD OpenSSH 3.4 p1
    cpe:2.3:a:openbsd:openssh:3.4p1
  • OpenBSD OpenSSH 3.5
    cpe:2.3:a:openbsd:openssh:3.5
  • OpenBSD OpenSSH 3.2.2
    cpe:2.3:a:openbsd:openssh:3.2.2
  • OpenBSD OpenSSH 3.2.2 p1
    cpe:2.3:a:openbsd:openssh:3.2.2p1
  • OpenBSD OpenSSH 3.2.3 p1
    cpe:2.3:a:openbsd:openssh:3.2.3p1
  • OpenBSD OpenSSH 3.3
    cpe:2.3:a:openbsd:openssh:3.3
  • OpenBSD OpenSSH 2.3.1
    cpe:2.3:a:openbsd:openssh:2.3.1
  • OpenBSD OpenSSH 2.3
    cpe:2.3:a:openbsd:openssh:2.3
  • OpenBSD OpenSSH 2.5
    cpe:2.3:a:openbsd:openssh:2.5
  • OpenBSD OpenSSH 2.1.1
    cpe:2.3:a:openbsd:openssh:2.1.1
  • OpenBSD OpenSSH 2.2
    cpe:2.3:a:openbsd:openssh:2.2
  • OpenBSD OpenSSH 2
    cpe:2.3:a:openbsd:openssh:2
  • OpenBSD OpenSSH 2.1
    cpe:2.3:a:openbsd:openssh:2.1
  • OpenBSD OpenSSH 2.9.9
    cpe:2.3:a:openbsd:openssh:2.9.9
  • OpenBSD OpenSSH 2.9 p2
    cpe:2.3:a:openbsd:openssh:2.9p2
  • OpenBSD OpenSSH 2.9.9 p2
    cpe:2.3:a:openbsd:openssh:2.9.9p2
  • OpenBSD OpenSSH 2.5.2
    cpe:2.3:a:openbsd:openssh:2.5.2
  • OpenBSD OpenSSH 2.5.1
    cpe:2.3:a:openbsd:openssh:2.5.1
  • OpenBSD OpenSSH 2.9 p1
    cpe:2.3:a:openbsd:openssh:2.9p1
  • OpenBSD OpenSSH 2.9
    cpe:2.3:a:openbsd:openssh:2.9
  • OpenBSD OpenSSH 1.5.7
    cpe:2.3:a:openbsd:openssh:1.5.7
  • OpenBSD OpenSSH 1.5.8
    cpe:2.3:a:openbsd:openssh:1.5.8
  • OpenBSD OpenSSH 1.3
    cpe:2.3:a:openbsd:openssh:1.3
  • OpenBSD OpenSSH 1.5
    cpe:2.3:a:openbsd:openssh:1.5
  • OpenBSD OpenSSH 1.2.27
    cpe:2.3:a:openbsd:openssh:1.2.27
  • OpenBSD OpenSSH 1.2.3
    cpe:2.3:a:openbsd:openssh:1.2.3
  • OpenBSD OpenSSH 1.2.1
    cpe:2.3:a:openbsd:openssh:1.2.1
  • OpenBSD OpenSSH 1.2.2
    cpe:2.3:a:openbsd:openssh:1.2.2
  • OpenBSD OpenSSH 1.2
    cpe:2.3:a:openbsd:openssh:1.2
CVSS
Base: 3.5 (as of 30-01-2012 - 10:58)
Impact:
Exploitability:
CWE CWE-255
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM SINGLE_INSTANCE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_OPENSSH-120813.NASL
    description This collective security update of openssh fixes multiple security issues : - memory exhaustion in gssapi due to integer overflow. (bnc#756370, CVE-2011-5000) - forced command option information leak (bnc#744643, CVE-2012-0814) Additionally, the following bug has been fixed : - server-side delay upon user exiting a ssh session, due to DNS queries from libaudit. (bnc#752354)
    last seen 2019-02-21
    modified 2013-10-25
    plugin id 64211
    published 2013-01-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64211
    title SuSE 11.1 Security Update : openssh (SAT Patch Number 6672)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_OPENSSH-8248.NASL
    description This collective security update of openssh fixed multiple security issues : - memory exhaustion in gssapi due to integer overflow. (bnc#756370, CVE-2011-5000) - forced command option information leak (bnc#744643, CVE-2012-0814)
    last seen 2019-02-21
    modified 2012-08-28
    plugin id 61695
    published 2012-08-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=61695
    title SuSE 10 Security Update : openssh (ZYPP Patch Number 8248)
  • NASL family Misc.
    NASL id OPENSSH_57.NASL
    description According to its banner, the version of OpenSSH running on the remote host is earlier than 5.7. Versions before 5.7 may be affected by the following vulnerabilities : - A security bypass vulnerability because OpenSSH does not properly validate the public parameters in the J-PAKE protocol. This could allow an attacker to authenticate without the shared secret. Note that this issue is only exploitable when OpenSSH is built with J-PAKE support, which is currently experimental and disabled by default, and that Nessus has not checked whether J-PAKE support is indeed enabled. (CVE-2010-4478) - The auth_parse_options function in auth-options.c in sshd provides debug messages containing authorized_keys command options, which allows remote, authenticated users to obtain potentially sensitive information by reading these messages. (CVE-2012-0814)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 44081
    published 2011-10-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44081
    title OpenSSH < 5.7 Multiple Vulnerabilities
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201405-06.NASL
    description The remote host is affected by the vulnerability described in GLSA-201405-06 (OpenSSH: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in OpenSSH. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could execute arbitrary code, cause a Denial of Service condition, obtain sensitive information, or bypass environment restrictions. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-13
    plugin id 73958
    published 2014-05-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=73958
    title GLSA-201405-06 : OpenSSH: Multiple vulnerabilities
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS11_SSH_20130716.NASL
    description The remote Solaris system is missing necessary patches to address security updates : - The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections. (CVE-2010-5107) - The auth_parse_options function in auth-options.c in sshd in OpenSSH before 5.7 provides debug messages containing authorized_keys command options, which allows remote authenticated users to obtain potentially sensitive information by reading these messages, as demonstrated by the shared user account required by Gitolite. NOTE: this can cross privilege boundaries because a user account may intentionally have no shell or filesystem access, and therefore may have no supported way to read an authorized_keys file in its own home directory. (CVE-2012-0814)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 80775
    published 2015-01-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80775
    title Oracle Solaris Third-Party Patch Update : ssh (cve_2010_5107_denial_of)
refmap via4
bid 51702
confirm
mlist
  • [oss-security] 20120126 CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients
  • [oss-security] 20120126 Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients
  • [oss-security] 20120127 Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients
osvdb 78706
xf opensshserver-commands-info-disc(72756)
Last major update 07-12-2016 - 22:02
Published 27-01-2012 - 14:55
Last modified 28-08-2017 - 21:31
Back to Top