search menu icon-carat-right cmu-wordmark

CERT Coordination Center

SSH host key authentication can be bypassed when DNS is used to resolve localhost

Vulnerability Note VU#786900

Original Release Date: 2000-09-26 | Last Revised: 2002-03-05

Overview

This vulnerability allows an attacker to redirect an SSH connection to an arbitary host.

Description

When making connections to localhost, SSH disables host key checking to provide compatibility with NFS filesystems. As a result, if the victim's machine uses a poisoned DNS server to resolve localhost, it is possible to redirect the victim's SSH session to a different host.

In most SSH clients, users are asked to confirm the acceptance of a host key the first time it is presented. If the user accepts the host key, they are asserting that the key represents the host they intended to connect to. But if an attacker exploits this vulnerability, the victim will not be asked for this confirmation because host key checking has been disabled. Therefore, even the most attentive users will not be able to detect that they have been redirected.

Impact

Attacker can redirect a victim's SSH connection to an arbitrary host.

Solution

Do not use DNS to resolve "localhost". Instead, explicitly configure all hosts to use 127.0.0.1 for localhost.

Vendor Information

786900
 

SSH Communications Security Affected

Updated:  February 06, 2001

Status

Affected

Vendor Statement

This was fixed in 1997.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenSSH Not Affected

Updated:  October 29, 2001

Status

Not Affected

Vendor Statement

See http://www.openssh.com/security.html.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

The CERT/CC thanks Antti Huima, Tuomas Aura, and Janne Salmi for their analysis and Tatu Ylonen for bringing this vulnerability to our attention.

This document was written by Jeffrey P. Lanza.

Other Information

CVE IDs: None
Severity Metric: 0.46
Date Public: 2001-01-18
Date First Published: 2000-09-26
Date Last Updated: 2002-03-05 20:10 UTC
Document Revision: 12

Sponsored by CISA.