oss-sec mailing list archives
CVE request: openssh client does not check SSHFP if server offers certificate
From: Thijs Kinkhorst <thijs () debian org>
Date: Wed, 26 Mar 2014 14:24:04 +0100
Hi, A vulnerability in OpenSSH's ssh client has been reported in Debian's BTS: https://bugs.debian.org/742513 If the ssh server offers a HostCertificate that the ssh client doesn't accept, then the client doesn't then check the DNS for SSHFP records. This is a security problem because it means that a malicious server can disable SSHFP- checking by presenting a certificate. Note that users are still presented the well-known "host verification prompt". Given the prompt will and the still rather peripheral reliance on SSHFP, we consider this an issue of low severity. Please assign a CVE name for this issue. Thanks, Thijs Kinkhorst Debian Security Team
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- CVE request: openssh client does not check SSHFP if server offers certificate Thijs Kinkhorst (Mar 26)