Input validation error in OpenSSH - CVE-2014-2653
Published: March 27, 2014 / Updated: August 3, 2020
Vulnerability identifier: #VU33294
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2014-2653
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenSSH
Affected software:
OpenSSH
OpenSSH
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate.
How to mitigate CVE-2014-2653
Install update from vendor's website.
Sources
- http://advisories.mageia.org/MGASA-2014-0166.html
- http://aix.software.ibm.com/aix/efixes/security/openssh_advisory4.asc
- http://lists.fedoraproject.org/pipermail/package-announce/2014-June/134026.html
- http://lists.fedoraproject.org/pipermail/package-announce/2014-May/133537.html
- http://marc.info/?l=bugtraq&m=141576985122836&w=2
- http://openwall.com/lists/oss-security/2014/03/26/7
- http://rhn.redhat.com/errata/RHSA-2014-1552.html
- http://rhn.redhat.com/errata/RHSA-2015-0425.html
- http://secunia.com/advisories/59855
- http://www.debian.org/security/2014/dsa-2894
- http://www.mandriva.com/security/advisories?name=MDVSA-2014:068
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:095
- http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
- http://www.securityfocus.com/bid/66459
- http://www.ubuntu.com/usn/USN-2164-1
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513