Improper Certificate Validation in zeromq/pyzmq

Valid

Reported on

Jul 28th 2021

✍️ Description

The paramiko.WarningPolicy policy used in set_missing_host_key_policy will not reject unknown host keys. This may lead to Man-in-the-middle attacks.

🕵️‍♂️ Proof of Concept

client = paramiko.SSHClient()
client.load_system_host_keys()
client.set_missing_host_key_policy(paramiko.WarningPolicy())

💥 Impact

That you have become vulnerable to man-in-the-middle attacks.

Z-Old
2 years ago

Admin

Hey Raptor, just contacted the pyzmq team. Waiting to hear back, good job!

We have contacted a member of the zeromq/pyzmq team and are waiting to hear back 2 years ago
Raptor
2 years ago

Researcher

jjjj

zeromq/pyzmq maintainer
2 years ago

Maintainer

Thanks! This is the equivalent of ssh -o StrictHostKeyChecking=accept-new, so I'm not too concerned about it, as only Windows users tunneling ssh connections to never-before-connected hosts (could be zero people, honestly). I've opened https://github.com/zeromq/pyzmq/pull/1571 to make the behavior opt-in instead of the default, and allow any paramiko missing-host-key policy.

Min RK submitted a
patch
2 years ago
zeromq/pyzmq maintainer marked this as fixed with commit c7be48 2 years ago
Min RK has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation