oss-sec mailing list archives

CVE request: openssh client does not check SSHFP if server offers certificate

From: Thijs Kinkhorst <thijs () debian org>
Date: Wed, 26 Mar 2014 14:24:04 +0100

Hi,

A vulnerability in OpenSSH's ssh client has been reported in Debian's BTS:
https://bugs.debian.org/742513

If the ssh server offers a HostCertificate that the ssh client doesn't accept, 
then the client doesn't then check the DNS for SSHFP records. This is a 
security problem because it means that a malicious server can disable SSHFP-
checking by presenting a certificate. Note that users are still presented the 
well-known "host verification prompt".

Given the prompt will and the still rather peripheral reliance on SSHFP, we 
consider this an issue of low severity.

Please assign a CVE name for this issue.


Thanks,

Thijs Kinkhorst
Debian Security Team

Attachment: signature.asc
Description: This is a digitally signed message part.

Current thread:

CVE request: openssh client does not check SSHFP if server offers certificate Thijs Kinkhorst (Mar 26)
- Re: CVE request: openssh client does not check SSHFP if server offers certificate cve-assign (Mar 26)