Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2014-2653 openssh: failure to check DNS SSHFP records in certain scenarios|
|Product:||[Other] Security Response||Reporter:||Murray McAllister <mmcallis>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||jkurik, jrusnack, mattias.ellert, mgrepl, moshiro, pfrields, plautrba, robinlee.sysu, security-response-team, szidek, tmraz|
|Target Milestone:||---||Keywords:||Reopened, Security|
|Fixed In Version:||Doc Type:||Bug Fix|
It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record.
|Last Closed:||2015-03-05 05:15:32 EST||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||1081341, 1081343, 1101171, 1101172|
|Bug Blocks:||1081345, 1101912, 1121513|
Description Murray McAllister 2014-03-26 23:51:21 EDT
Matthew Vernon found that the OpenSSH client may fail to check DNS SSHFP records. When using DNS SSHFP records, if the server offers the client a certificate that the client does not accept, the client does not then verify the DNS SSHFP records. A host verification prompt is still displayed before connecting. A malicious server could possibly use this flaw to disable DNS SSHFP checking and trick a client into connecting to it, if the user accepts 'yes' at the host verification prompt. Original report including a possible patch: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513
Comment 1 Murray McAllister 2014-03-26 23:53:00 EDT
Created openssh tracking bugs for this issue: Affects: fedora-all [bug 1081341]
Comment 4 Fedora Update System 2014-05-21 19:23:39 EDT
openssh-6.4p1-4.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2014-06-09 22:51:06 EDT
openssh-6.2p2-8.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Comment 14 Martin Prpic 2014-10-06 04:47:18 EDT
IssueDescription: It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record.
Comment 15 errata-xmlrpc 2014-10-14 03:39:49 EDT
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2014:1552 https://rhn.redhat.com/errata/RHSA-2014-1552.html
Comment 16 Huzaifa S. Sidhpurwala 2014-10-16 02:34:33 EDT
Statement: The Red Hat Security Response Team has rated this issue as having Moderate security impact. This issue is not planned to be fixed in Red Hat Enterprise Linux 5 as it is now in Production 3 Phase of the support and maintenance life cycle, https://access.redhat.com/support/policy/updates/errata/
Comment 20 Tomas Hoger 2014-11-12 02:55:36 EST