| The Vigil@nce team watches vulnerabilities impacting your computers, and then offers solutions, a database and tools to correct them. |
|
 |
|
|
|
vulnerability alert CVE-2012-0814
OpenSSH: information disclosure via Forced Command
Synthesis of the vulnerability
| When an OpenSSH server defined Forced Commands, an authenticated attacker can obtain information on commands of other users. |
Severity: 1/4.
Creation date: 30/01/2012.
|
Impacted products
Description of the vulnerability
The Forced Command feature of OpenSSH is used to define commands to execute when a RSA key is used for the authentication. For example:
command="/bin/echo Here is a message" rsa_key
When there are several Forced Commands, the configuration file for example contains:
command="/bin/echo Hello one" rsa_key1
command="/bin/echo Hello two" rsa_key2
command="/bin/echo Hello three" rsa_key3
The "-v" (verbose) option of the SSH client displays server debug messages on the client side. However, Forced Commands of all users are displayed. So, the user of rsa_key3 will know the commands of both previous users.
When an OpenSSH server defined Forced Commands, an authenticated attacker can therefore obtain information on commands of other users. |
Share this bulletin
Complete Vigil@nce bulletin
Characteristics
Title: OpenSSH: information disclosure via Forced Command.
Keywords: Command Commands Forced Hello Here OpenSSH RSA SSH disclosure information rsa_key rsa_key1 rsa_key2 rsa_key3.
Identifiers: BID-51702, CVE-2012-0814, VIGILANCE-VUL-11326.
|
Information sources
Solutions for this vulnerability
Supplements
Computer vulnerabilities tracking service
Vigil@nce provides networks vulnerabilities announces. The technology watch team tracks security threats targeting the computer system. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.
|
