This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours

Bug 1081338 (CVE-2014-2653)

Summary: CVE-2014-2653 openssh: failure to check DNS SSHFP records in certain scenarios
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jkurik, jrusnack, mattias.ellert, mgrepl, moshiro, pfrields, plautrba, robinlee.sysu, security-response-team, szidek, tmraz
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20140324,reported=20140326,source=oss-security,cvss2=4.3/AV:N/AC:M/Au:N/C:N/I:P/A:N,rhel-5/openssh=wontfix,rhel-6/openssh=affected,rhel-7/openssh=affected,fedora-all/openssh=affected,cwe=CWE-592
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record.
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 05:15:32 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 1081341, 1081343, 1101171, 1101172    
Bug Blocks: 1081345, 1101912, 1121513    

Description Murray McAllister 2014-03-26 23:51:21 EDT
Matthew Vernon found that the OpenSSH client may fail to check DNS SSHFP records. When using DNS SSHFP records, if the server offers the client a certificate that the client does not accept, the client does not then verify the DNS SSHFP records. A host verification prompt is still displayed before connecting. A malicious server could possibly use this flaw to disable DNS SSHFP checking and trick a client into connecting to it, if the user accepts 'yes' at the host verification prompt.

Original report including a possible patch:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513
Comment 1 Murray McAllister 2014-03-26 23:53:00 EDT
Created openssh tracking bugs for this issue:

Affects: fedora-all [bug 1081341]
Comment 4 Fedora Update System 2014-05-21 19:23:39 EDT
openssh-6.4p1-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2014-06-09 22:51:06 EDT
openssh-6.2p2-8.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Martin Prpic 2014-10-06 04:47:18 EDT
IssueDescription:

It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record.
Comment 15 errata-xmlrpc 2014-10-14 03:39:49 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:1552 https://rhn.redhat.com/errata/RHSA-2014-1552.html
Comment 16 Huzaifa S. Sidhpurwala 2014-10-16 02:34:33 EDT
Statement:

The Red Hat Security Response Team has rated this issue as having Moderate security impact. This issue is not planned to be fixed in Red Hat Enterprise Linux 5 as it is now in Production 3 Phase of the support and maintenance life cycle, https://access.redhat.com/support/policy/updates/errata/
Comment 22 errata-xmlrpc 2015-03-05 04:27:38 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:0425 https://rhn.redhat.com/errata/RHSA-2015-0425.html