Improper Certificate Validation in zeromq/pyzmq


Reported on

Jul 28th 2021

✍️ Description

The paramiko.WarningPolicy policy used in set_missing_host_key_policy will not reject unknown host keys. This may lead to Man-in-the-middle attacks.

🕵️‍♂️ Proof of Concept

client = paramiko.SSHClient()

💥 Impact

That you have become vulnerable to man-in-the-middle attacks.

a year ago


Hey Raptor, just contacted the pyzmq team. Waiting to hear back, good job!

We have contacted a member of the zeromq/pyzmq team and are waiting to hear back a year ago
a year ago



zeromq/pyzmq maintainer
a year ago

Thanks! This is the equivalent of ssh -o StrictHostKeyChecking=accept-new, so I'm not too concerned about it, as only Windows users tunneling ssh connections to never-before-connected hosts (could be zero people, honestly). I've opened to make the behavior opt-in instead of the default, and allow any paramiko missing-host-key policy.

Min RK submitted a
a year ago
zeromq/pyzmq maintainer confirmed that a fix has been merged on c7be48 a year ago
Min RK has been awarded the fix bounty
to join this conversation