Hacker News new | ask | show | jobs
by loeg 1298 days ago
Your understanding is sort of mistaken. Mosh does an initial handshake over ssh, but after that it’s a custom UDP protocol. There have been and could be more security bugs in that UDP protocol.
2 comments
achernya 1298 days ago
The only mosh CVE [1] was in the terminal emulator (a DoS that could only be triggered by a local user), not in the protocol. There have been no vulnerabilities in mosh's UDP protocol.

[1] https://nvd.nist.gov/vuln/detail/CVE-2012-2385

link
nibbleshifter 1298 days ago
yet.

I wonder if anyone's thrown a fuzzer at it.

link
achernya 1298 days ago
Yes, mosh has fuzz tests in oss-fuzz [1].

[1] https://github.com/google/oss-fuzz/tree/master/projects/mosh

link
jbj 1298 days ago
Ahh, thanks for clarifying! Yes, in that case it is very appreciated to see recent updates.
link