[Bug 3313] New: CVE-2020-14145 - will it get fixed?

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed May 26 22:20:05 AEST 2021


https://bugzilla.mindrot.org/show_bug.cgi?id=3313

            Bug ID: 3313
           Summary: CVE-2020-14145 - will it get fixed?
           Product: Portable OpenSSH
           Version: 8.6p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: security
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: m.kaiser at bmlv.gv.at

The client side in OpenSSH 5.7 through 8.6 has an Observable
Discrepancy leading to an information leak in the algorithm
negotiation. This allows man-in-the-middle attackers to target initial
connection attempts (where no host key for the server has been cached
by the client).

https://docs.ssh-mitm.at/CVE-2020-14145.html

This tool is able to exploit this vulnerability. At the moment, it only
checks, if a client is vulnerable, but implementing a full exploit is
not hard.

Dropbear was not affected by such a vulnerability, because they are
allwys sending the default algorithm list.

PuTTy has integrated an option to disable/enable preffered host key
algorithm order.


Mitigation:

Clients should always preffere the strongest ciphers per default. By
using HostKeyAlgorithms in your configuration file, you need to
maintain the list and add new algorithms in the right order. This is
error prone and most users do not have enough knowledge about pros and
cons of those algorithms.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list