=========================================================== == Subject: libssh loads configuration files from the == C:\etc directory on Windows == == CVE ID#: CVE-2025-14821 == == Versions: libssh < 0.11.4; < 0.12.0 == == Summary: By default libssh loads configuration files from the C:\etc == directory, which could be created by any user on Windows == =========================================================== =========== Description =========== When libssh is built with default configure options, libssh loads configuration files from the C:\etc directory on Windows. This directory could be created by a unprivileged user and as the directory contains configuration files and ssh_known_hosts, an unprivileged attacker on the same machine could do a MITM attack, downgrade security of established connections or cause other security problems. ================== Patch Availability ================== Patches addressing the issues have been posted to: https://www.libssh.org/security/ Additionally, libssh 0.11.4 and 0.12.0 have been issued as security releases to correct the defect. SSH administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (7.8) ========== Workaround ========== When configuring libssh on Windows, set the GLOBAL_BIND_CONFIG and GLOBAL_CLIENT_CONFIG variables. Example: cmake \ -DGLOBAL_BIND_CONFIG=C:/ProgramData/ssh/libssh_server_config \ -DGLOBAL_CLIENT_CONFIG=C:/ProgramData/ssh/ssh_config In addition you need to set the global known hosts using: rc = ssh_options_set(session, SSH_OPTIONS_GLOBAL_KNOWNHOSTS, "C:/ProgramData/ssh/ssh_known_hosts"); ======= Credits ======= Originally reported by Martin Grubhofer. Patches provided by Andreas Schneider from the libssh team. ========================================================== == The libssh team ==========================================================