2166916 – openssh: Invalid characters can be included in DNS hostnames via CanonicalizeHostname and CanonicalizePermittedCNAMEs options

Bug 2166916 - openssh: Invalid characters can be included in DNS hostnames via CanonicalizeHostname and CanonicalizePermittedCNAMEs options

Summary: openssh: Invalid characters can be included in DNS hostnames via Canonicalize...

Keywords:
Status:	NEW
Alias:	None
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2166917
TreeView+	depends on / blocked

Reported:	2023-02-03 13:51 UTC by Pedro Sampaio
Modified:	2023-07-08 04:16 UTC (History)
CC List:	25 users (show)
Fixed In Version:	openssh 9.2
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2023-02-03 13:51:39 UTC

In OpenSSH before 9.2, if the CanonicalizeHostname and CanonicalizePermittedCNAMEs options were enabled, and the system/libc resolver did not check   that names in DNS responses were valid, then use of these options could allow an attacker with control of DNS to include invalid characters (possibly including wildcards) in names added to known_hosts files when they were updated. These names would still have to match the CanonicalizePermittedCNAMEs allow-list, so practical exploitation appears unlikely.

References:

https://www.openssh.com/releasenotes.html

Note You need to log in before you can comment on or make changes to this bug.

bdettelb
caswilli
dbelyavs
dffrench
dfreiber
dkuc
fjansen
gzaronik
hkataria
jburrell
jjelen
jkoehler
jmitchel
jtanner
jwon
kaycoth
kshier
micjohns
ngough
psegedy
rgodfrey
rogbas
sthirugn
tsasak
vkumar