Bug 1081338 (CVE-2014-2653) - CVE-2014-2653 openssh: failure to check DNS SSHFP records in certain scenarios
Summary: CVE-2014-2653 openssh: failure to check DNS SSHFP records in certain scenarios
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-2653
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1081341 1081343 1101171 1101172
Blocks: 1081345 1101912 1121513
TreeView+ depends on / blocked
 
Reported: 2014-03-27 03:51 UTC by Murray McAllister
Modified: 2021-02-17 06:44 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record.
Clone Of:
Environment:
Last Closed: 2015-03-05 10:15:32 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1552 0 normal SHIPPED_LIVE Moderate: openssh security, bug fix, and enhancement update 2014-10-14 01:21:23 UTC
Red Hat Product Errata RHSA-2015:0425 0 normal SHIPPED_LIVE Moderate: openssh security, bug fix and enhancement update 2015-03-05 14:26:20 UTC

Description Murray McAllister 2014-03-27 03:51:21 UTC
Matthew Vernon found that the OpenSSH client may fail to check DNS SSHFP records. When using DNS SSHFP records, if the server offers the client a certificate that the client does not accept, the client does not then verify the DNS SSHFP records. A host verification prompt is still displayed before connecting. A malicious server could possibly use this flaw to disable DNS SSHFP checking and trick a client into connecting to it, if the user accepts 'yes' at the host verification prompt.

Original report including a possible patch:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513

Comment 1 Murray McAllister 2014-03-27 03:53:00 UTC
Created openssh tracking bugs for this issue:

Affects: fedora-all [bug 1081341]

Comment 4 Fedora Update System 2014-05-21 23:23:39 UTC
openssh-6.4p1-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2014-06-10 02:51:06 UTC
openssh-6.2p2-8.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Martin Prpič 2014-10-06 08:47:18 UTC
IssueDescription:

It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record.

Comment 15 errata-xmlrpc 2014-10-14 07:39:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:1552 https://rhn.redhat.com/errata/RHSA-2014-1552.html

Comment 16 Huzaifa S. Sidhpurwala 2014-10-16 06:34:33 UTC
Statement:

The Red Hat Security Response Team has rated this issue as having Moderate security impact. This issue is not planned to be fixed in Red Hat Enterprise Linux 5 as it is now in Production 3 Phase of the support and maintenance life cycle, https://access.redhat.com/support/policy/updates/errata/

Comment 22 errata-xmlrpc 2015-03-05 09:27:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:0425 https://rhn.redhat.com/errata/RHSA-2015-0425.html


Note You need to log in before you can comment on or make changes to this bug.