Improper Certificate Validation in zeromq/pyzmq

Valid

Reported on

Jul 28th 2021


✍️ Description

The paramiko.WarningPolicy policy used in set_missing_host_key_policy will not reject unknown host keys. This may lead to Man-in-the-middle attacks.

🕵️‍♂️ Proof of Concept

client = paramiko.SSHClient()
client.load_system_host_keys()
client.set_missing_host_key_policy(paramiko.WarningPolicy())

💥 Impact

That you have become vulnerable to man-in-the-middle attacks.

Ziding Zhang
4 months ago

Admin


Hey Raptor, just contacted the pyzmq team. Waiting to hear back, good job!

We have contacted a member of the zeromq/pyzmq team and are waiting to hear back 4 months ago
Raptor
4 months ago

Researcher


jjjj

zeromq/pyzmq maintainer
4 months ago

Thanks! This is the equivalent of ssh -o StrictHostKeyChecking=accept-new, so I'm not too concerned about it, as only Windows users tunneling ssh connections to never-before-connected hosts (could be zero people, honestly). I've opened https://github.com/zeromq/pyzmq/pull/1571 to make the behavior opt-in instead of the default, and allow any paramiko missing-host-key policy.

Min RK submitted a
4 months ago
zeromq/pyzmq maintainer confirmed that a fix has been merged on c7be48 4 months ago
Min RK has been awarded the fix bounty