CVE-2014-2653 in OpenSSHinfo

Summary

by MITRE

The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 05/28/2026

The vulnerability identified as CVE-2014-2653 resides within the OpenSSH client implementation and specifically targets the sshconnect.c file's verify_host_key function. This flaw represents a significant security weakness that undermines the integrity of SSH host key verification processes. The vulnerability affects OpenSSH versions 6.6 and earlier, making it a longstanding issue that persisted across multiple releases before being addressed in subsequent versions. The security implications extend beyond simple protocol compliance failures as they fundamentally compromise the trust model that SSH relies upon for secure remote connections.

The technical mechanism of this vulnerability involves a specific interaction between the SSH client and server where malicious servers can manipulate the HostCertificate field to influence the host key verification process. When a remote server presents an unacceptable HostCertificate, the verify_host_key function incorrectly processes this information and inadvertently skips the SSHFP DNS RR checking procedure. This behavior represents a deviation from expected security protocols where DNS-based SSH fingerprint verification should always occur regardless of certificate presentation. The flaw essentially creates a bypass condition that allows untrusted servers to avoid proper host verification checks that are critical for preventing man-in-the-middle attacks.

From an operational impact perspective, this vulnerability enables attackers to conduct successful man-in-the-middle attacks against SSH clients that are running affected OpenSSH versions. The ability to skip SSHFP DNS RR checking means that malicious actors can present forged host certificates while still maintaining the appearance of legitimate connections to victims. This creates a dangerous scenario where users may unknowingly establish connections with compromised servers, potentially leading to unauthorized access to sensitive systems, data exfiltration, and complete compromise of the affected infrastructure. The vulnerability affects all SSH clients that rely on the default host key verification mechanisms, making it particularly dangerous in environments where automated connections or bulk deployment of SSH clients occurs.

The security implications align with CWE-284 Access Control Issues and specifically relate to improper access control in cryptographic protocols. This vulnerability also maps to ATT&CK technique T1566.001 Credential Access: Phishing for Information, as it enables attackers to manipulate the authentication process to appear legitimate while bypassing security controls. Organizations using affected OpenSSH versions face significant risk of credential compromise and system infiltration. The vulnerability demonstrates how seemingly minor implementation flaws in cryptographic protocols can result in major security breaches. Mitigation efforts must include immediate patching of OpenSSH clients to versions that address this specific verification bypass, along with implementing additional security controls such as explicit host key verification, certificate pinning, and monitoring for unusual SSH connection patterns. Network administrators should also consider implementing SSH key management policies that enforce strict verification procedures and regularly audit SSH client configurations to ensure compliance with security best practices.

Reservation

03/26/2014

Disclosure

03/27/2014

Moderation

accepted

Entry

VDB-12724

CPE

ready

EPSS

0.01988

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!