CVE-2014-2653

critical

Description

The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate.

References

http://www.ubuntu.com/usn/USN-2164-1

http://www.securityfocus.com/bid/66459

http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html

http://www.mandriva.com/security/advisories?name=MDVSA-2015:095

http://www.mandriva.com/security/advisories?name=MDVSA-2014:068

http://www.debian.org/security/2014/dsa-2894

http://secunia.com/advisories/59855

http://rhn.redhat.com/errata/RHSA-2015-0425.html

http://rhn.redhat.com/errata/RHSA-2014-1552.html

http://openwall.com/lists/oss-security/2014/03/26/7

http://marc.info/?l=bugtraq&m=141576985122836&w=2

http://lists.fedoraproject.org/pipermail/package-announce/2014-May/133537.html

http://lists.fedoraproject.org/pipermail/package-announce/2014-June/134026.html

http://aix.software.ibm.com/aix/efixes/security/openssh_advisory4.asc

http://advisories.mageia.org/MGASA-2014-0166.html

Details

Source: Mitre, NVD

Published: 2014-03-27

Updated: 2017-01-07

Risk Information

CVSS v2

Base Score: 5.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Severity: Critical

Detections

Analytics