OpenSSH 6.6 and Earlier: Bypassing SSHFP DNS RR Checking via HostCertificate

OpenSSH 6.6 and Earlier: Bypassing SSHFP DNS RR Checking via HostCertificate

CVE-2014-2653 · MEDIUM Severity

AV:N/AC:M/AU:N/C:P/I:P/A:N

The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate.

Learn more about our Cis Benchmark Audit For Server Software.