Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2014-2653

Overview

Vulnerability Score 5.8 5.8
CVE Id CVE-2014-2653
Last Modified 01 Apr 2015 09:59:28
Published 27 Mar 2014 06:55:04
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2014-2653

Summary

The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate.

Vulnerable Systems

Application

  • Openbsd Openssh 6.0

  • Openbsd Openssh 6.1

  • Openbsd Openssh 6.2

  • Openbsd Openssh 6.3

  • Openbsd Openssh 6.4

  • Openbsd Openssh 6.5

  • Openbsd Openssh 6.6


References

CONFIRM - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513

MLIST - [oss-security] 20140326 CVE request: openssh client does not check SSHFP if server offers certificate

UBUNTU - USN-2164-1

DEBIAN - DSA-2894

BID - 66459

MANDRIVA - MDVSA-2014:068

FEDORA - FEDORA-2014-6380

FEDORA - FEDORA-2014-6569

CONFIRM - http://advisories.mageia.org/MGASA-2014-0166.html

CONFIRM - http://aix.software.ibm.com/aix/efixes/security/openssh_advisory4.asc

REDHAT - RHSA-2014:1552

HP - SSRT101487

REDHAT - RHSA-2015:0425

MANDRIVA - MDVSA-2015:095


Last Updated: 27 May 2016 11:08:06