Summary
OpenSSH is prone to a security-bypass vulnerability.
Impact
Attackers can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may aid in further attacks.
Solution
Updates are available.
Insight
The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate.
Affected
OpenSSH 6.6 and prior are vulnerable.
Detection
Check the version
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2014-2653 -
CVSS Base Score: 5.8
AV:N/AC:M/Au:N/C:P/I:P/A:N
Related Vulnerabilities
- Apple Safari Webcore Webkit 'XSSAuditor.cpp' XSS Vulnerability (Windows)
- Apple Safari 'Webkit' Information Disclosure Vulnerability (Mac OS X)
- Apache Tomcat servlet/JSP container default files
- Apple QuickTime Multiple Arbitrary Code Execution Vulnerabilities (Win)
- Apple Safari JavaScript Implementation Information Disclosure Vulnerability (Windows)