CVE-2001-1474 in SSH
Summary
by MITRE
SSH before 2.0 disables host key checking when connecting to the localhost, which allows remote attackers to silently redirect connections to the localhost by poisoning the client s DNS cache.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 11/17/2024
This vulnerability exists in SSH implementations prior to version 2.0 where the client automatically disables host key verification when establishing connections to localhost. The flaw stems from the assumption that connections to localhost are inherently trustworthy, leading to a dangerous relaxation of security controls that can be exploited by malicious actors. The vulnerability is classified under CWE-310 as "Cryptographic Vulnerability" and represents a significant weakness in the SSH protocol's security model.
The technical implementation of this vulnerability occurs because SSH clients perform a DNS lookup to resolve the localhost address, which can be manipulated through DNS cache poisoning attacks. When the DNS cache is poisoned, the SSH client receives a malicious IP address instead of the legitimate localhost address, but due to the disabled host key checking, the client accepts this redirection without warning. This creates a situation where attackers can seamlessly redirect SSH connections to malicious hosts while maintaining the appearance of normal localhost communication, effectively bypassing the fundamental security mechanism that protects against man-in-the-middle attacks.
The operational impact of this vulnerability is severe as it allows attackers to establish unauthorized connections to localhost services without detection. An attacker with access to the local network can poison DNS records to redirect SSH connections to their own malicious host, potentially gaining access to sensitive services running on the localhost. This vulnerability specifically affects the SSH client's trust model and can be exploited across various operating systems where SSH is implemented, making it particularly dangerous in environments where localhost services are assumed to be secure. The attack can be executed without requiring elevated privileges or complex exploitation techniques, making it accessible to a wide range of threat actors.
Mitigation strategies for this vulnerability include upgrading to SSH version 2.0 or later where host key checking is properly enforced even for localhost connections. Organizations should implement proper DNS security measures including DNSSEC to prevent cache poisoning attacks, and establish monitoring for unusual DNS resolution patterns. Additionally, security configurations should explicitly enforce host key checking regardless of the target address, and network administrators should regularly audit localhost service access controls. This vulnerability highlights the importance of maintaining strict security protocols even for seemingly trusted network locations and aligns with ATT&CK technique T1071.004 for application layer protocol tunneling and T1566 for credential harvesting through network manipulation. The flaw demonstrates how implicit trust assumptions in network protocols can create exploitable security gaps that require explicit configuration controls to address.