sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled, allows GSSAPI credentials to be delegated to clients who log in using non-GSSAPI methods, which could cause those credentials to be exposed to untrusted users or hosts.

The installed version of OpenSSH is prior to 4.2 and is affected by the following vulnerabilities:

 - X11 forwarding may be enabled unintentionally when multiple forwarding requests are made on the same session, or when an X11 listener is orphaned after a session goes away. (CVE-2005-2797)
 - GSSAPI credentials may be delegated to users who log in using something other than GSSAPI authentication if 'GSSAPIDelegateCredentials' is enabled. (CVE-2005-2798)

According to the version of one or more Juniper NSM servers running on the remote host, it is potentially vulnerable to multiple vulnerabilities, the worst of which may allow an authenticated user to trigger a denial of service condition or execute arbitrary code.

Updated openssh packages that fix a security issue, bugs, and add support for recording login user IDs for audit are now available for Red Hat Enterprise Linux 4.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation.

An error in the way OpenSSH handled GSSAPI credential delegation was discovered. OpenSSH as distributed with Red Hat Enterprise Linux 4 contains support for GSSAPI user authentication, typically used for supporting Kerberos. On OpenSSH installations which have GSSAPI enabled, this flaw could allow a user who sucessfully authenticates using a method other than GSSAPI to be delegated with GSSAPI credentials. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-2798 to this issue.

Additionally, the following bugs have been addressed :

The ssh command incorrectly failed when it was issued by the root user with a non-default group set.

The sshd daemon could fail to properly close the client connection if multiple X clients were forwarded over the connection and the client session exited.

The sshd daemon could bind only on the IPv6 address family for X forwarding if the port on IPv4 address family was already bound. The X forwarding did not work in such cases.

This update also adds support for recording login user IDs for the auditing service. The user ID is attached to the audit records generated from the user's session.

All users of openssh should upgrade to these updated packages, which contain backported patches to resolve these issues.

The version of SunSSH running on the remote host has an information disclosure vulnerability.  A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration.  An attacker could exploit this to gain access to sensitive information.

Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them.

s700_800 11.04 Virtualvault 4.6 OpenSSH update : 

A potential security vulnerability has been identified with HP-UX running Secure Shell. The vulnerability could be remotely exploited to allow a remote unauthorized user to create a Denial of Service (DoS).

s700_800 11.04 Virtualvault 4.7 OpenSSH update : 

A potential security vulnerability has been identified with HP-UX running Secure Shell. The vulnerability could be remotely exploited to allow a remote unauthorized user to create a Denial of Service (DoS).

An information disclosure vulnerability has been found in the SSH server. When the GSSAPIAuthentication option was enabled, the SSH server could send GSSAPI credentials even to users who attempted to log in with a method other than GSSAPI. This could inadvertently expose these credentials to an untrusted user.

Please note that this does not affect the default configuration of the SSH server.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Redhat Enterprise Linux 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2005:527 advisory.

  - security flaw (CVE-2005-2798)

  - openssh may set DISPLAY even if it's unable to listen on respective port (CVE-2008-1483)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of OpenSSH installed on the remote host has the following vulnerabilities :

  - X11 forwarding may be enabled unintentionally when     multiple forwarding requests are made on the same session,     or when an X11 listener is orphaned after a session goes     away. (CVE-2005-2797)

  - GSSAPI credentials may be delegated to users who     log in using something other than GSSAPI authentication     if 'GSSAPIDelegateCredentials' is enabled. (CVE-2005-2798)

  - Attempting to log in as a nonexistent user causes     the authentication process to hang, which could     be exploited to enumerate valid user accounts.
    Only OpenSSH on Mac OS X 10.4.x is affected.
    (CVE-2006-0393)

  - Repeatedly attempting to log in as a nonexistent     user could result in a denial of service.
    Only OpenSSH on Mac OS X 10.4.x is affected.
    (CVE-2006-0393)

The remote host is running a version of OpenSSH which is vulnerable to a flaw in the way that it handles GSSAPI authentication.  Specifically, if GSSAPI is enabled and 'GSSAPIDelegateCredentials' is enabled, an attacker may gain access to GSSAPI credentials.

Note: NNM has solely relied on the banner of the SSH client to perform this check. Any backported patches or workarounds such as recompiling or edited configurations are not observable through the banner.  

ID	Name	Product	Family	Severity
701166	OpenSSH < 4.2 Multiple Vulnerabilities	Nessus Network Monitor	SSH	medium
69872	Juniper NSM Servers < 2012.1 Multiple Vulnerabilities	Nessus	Misc.	high
67028	CentOS 4 : openssh (CESA-2005:527)	Nessus	CentOS Local Security Checks	medium
55992	SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure	Nessus	Misc.	critical
21714	HP-UX PHSS_34567 : HP-UX Secure Shell Remote Denial of Service (DoS) (HPSBUX02090 SSRT051058 rev.2)	Nessus	HP-UX Local Security Checks	high
21713	HP-UX PHSS_34566 : HP-UX Secure Shell Remote Denial of Service (DoS) (HPSBUX02090 SSRT051058 rev.2)	Nessus	HP-UX Local Security Checks	high
20626	Ubuntu 4.10 / 5.04 : openssh vulnerability (USN-209-1)	Nessus	Ubuntu Local Security Checks	medium
19990	RHEL 4 : openssh (RHSA-2005:527)	Nessus	Red Hat Local Security Checks	medium
19592	OpenSSH < 4.2 Multiple Vulnerabilities	Nessus	Misc.	low
3205	OpenSSH < 4.2p1 GSSAPI Authentication Credential Escalation	Nessus Network Monitor	SSH	medium

Detections

Analytics

CVE-2005-2798

critical

Tenable Plugins

medium

high

medium

critical

high

high

medium

medium

low

medium