Bug 1081338 (CVE-2014-2653)

Summary: CVE-2014-2653 openssh: failure to check DNS SSHFP records in certain scenarios
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jrusnack, mattias.ellert, mgrepl, moshiro, pfrields, plautrba, robinlee.sysu, security-response-team, szidek, tmraz
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:15:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1081341, 1081343, 1101171, 1101172    
Bug Blocks: 1081345, 1101912, 1121513    

Description Murray McAllister 2014-03-27 03:51:21 UTC 
Matthew Vernon found that the OpenSSH client may fail to check DNS SSHFP records. When using DNS SSHFP records, if the server offers the client a certificate that the client does not accept, the client does not then verify the DNS SSHFP records. A host verification prompt is still displayed before connecting. A malicious server could possibly use this flaw to disable DNS SSHFP checking and trick a client into connecting to it, if the user accepts 'yes' at the host verification prompt.

Original report including a possible patch:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513
Comment 1 Murray McAllister 2014-03-27 03:53:00 UTC 
Created openssh tracking bugs for this issue:

Affects: fedora-all [bug 1081341]
Comment 4 Fedora Update System 2014-05-21 23:23:39 UTC 
openssh-6.4p1-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2014-06-10 02:51:06 UTC 
openssh-6.2p2-8.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Martin Prpič 2014-10-06 08:47:18 UTC 
IssueDescription:

It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record.
Comment 15 errata-xmlrpc 2014-10-14 07:39:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:1552 https://rhn.redhat.com/errata/RHSA-2014-1552.html
Comment 16 Huzaifa S. Sidhpurwala 2014-10-16 06:34:33 UTC 
Statement:

The Red Hat Security Response Team has rated this issue as having Moderate security impact. This issue is not planned to be fixed in Red Hat Enterprise Linux 5 as it is now in Production 3 Phase of the support and maintenance life cycle, https://access.redhat.com/support/policy/updates/errata/
Comment 20 Tomas Hoger 2014-11-12 07:55:36 UTC 
Upstream patch:

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshconnect.c#rev1.247
https://github.com/openssh/openssh-portable/commit/7d6a9fb660c808882d064e152d6070ffc3844c3f
Comment 22 errata-xmlrpc 2015-03-05 09:27:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:0425 https://rhn.redhat.com/errata/RHSA-2015-0425.html