FSA-2020-2 Targeted MitM Attacks Using Information Leakage in SSH Clients

Research scientists of the Competence Center for IT Security found an information leak in two widely used SSH clients.

An information leak in OpenSSH 5.7-8.3 and PuTTY 0.68-0.73 allows an attacker to carry out targeted man-in-the-middle attacks. The vulnerabilities have been assigned to CVE-2020-14002 and CVE-2020-14145. Users can protect themselves by always verifying the fingerprint of the server during an initial connection attempt.

The full report is available for download.