Vulnerability Description
The OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 and when running in a Kerberos environment, allows remote authenticated users to log in as another user when they are listed in the .k5users file of that user, which might bypass intended authentication requirements that would force a local login.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openbsd | Openssh | - |
| Redhat | Enterprise Linux | 7.0 |
| Redhat | Fedora | 7 |
Related Weaknesses (CWE)
References
- http://rhn.redhat.com/errata/RHSA-2015-0425.html
- http://thread.gmane.org/gmane.comp.encryption.kerberos.general/15855
- http://www.openwall.com/lists/oss-security/2014/12/02/3
- http://www.openwall.com/lists/oss-security/2014/12/04/17
- http://www.securityfocus.com/bid/71420
- https://bugzilla.mindrot.org/show_bug.cgi?id=1867
- https://bugzilla.redhat.com/show_bug.cgi?id=1169843
- https://exchange.xforce.ibmcloud.com/vulnerabilities/99090
- http://rhn.redhat.com/errata/RHSA-2015-0425.html
- http://thread.gmane.org/gmane.comp.encryption.kerberos.general/15855
- http://www.openwall.com/lists/oss-security/2014/12/02/3
- http://www.openwall.com/lists/oss-security/2014/12/04/17
- http://www.securityfocus.com/bid/71420
- https://bugzilla.mindrot.org/show_bug.cgi?id=1867
- https://bugzilla.redhat.com/show_bug.cgi?id=1169843
FAQ
What is CVE-2014-9278?
CVE-2014-9278 is a vulnerability with a CVSS score of 4.0 (MEDIUM). The OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 and when running in a Kerberos environment, allows remote authenticated users to log in as another user when they are listed in the...
How severe is CVE-2014-9278?
CVE-2014-9278 has been rated MEDIUM with a CVSS base score of 4.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-9278?
Check the references section above for vendor advisories and patch information. Affected products include: Openbsd Openssh, Redhat Enterprise Linux, Redhat Fedora.