SYM_GO_0041 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Key Exchange without Entity Authentication
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-322: Key Exchange without Entity Authentication |
| OWASP | A02:2021 - Cryptographic Failures |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | Low |
Description
The code disables SSH host key verification by using 'ssh.InsecureIgnoreHostKey()', meaning it does not check if the server's identity is genuine. This makes SSH connections vulnerable to connecting to malicious or unexpected servers.
Impact
If exploited, attackers could perform man-in-the-middle attacks, intercepting or altering sensitive data sent over SSH connections. This compromises the confidentiality and integrity of communications, potentially leading to unauthorized access, data leaks, or further attacks on internal systems.