Full Report
Significant OpenSSH flaws are exposing systems to man-in-the-middle and denial-of service attacks
Analysis Summary
Here is the summarized vulnerability information:
# Vulnerability: OpenSSH MitM (VerifyHostKeyDNS) and DoS (SSH2\_MSG\_PING) Flaws
## CVE Details
- CVE ID: CVE-2025-26465, CVE-2025-26466
- CVSS Score: Not explicitly provided, but described as posing "critical" risks.
- CWE: Logic Error (for MitM), Improper Resource Handling (for DoS)
## Affected Systems
- Products: OpenSSH (Client and Server)
- Versions: Prior to OpenSSH 9.9p2. CVE-2025-26465 exists since late 2014. CVE-2025-26466 exists since August 2023.
- Configurations: CVE-2025-26465 specifically affects clients where `VerifyHostKeyDNS` is enabled. (Note: This option is often disabled by default but was default on platforms like FreeBSD historically).
## Vulnerability Description
This summary covers two distinct flaws:
**CVE-2025-26465 (MitM Bypass):** A logic error in the OpenSSH client's `VerifyHostKeyDNS` feature allows an attacker to bypass identity verification checks when memory allocation errors occur during server identity verification, leading to potential Man-in-the-Middle (MitM) attacks through server impersonation.
**CVE-2025-26466 (DoS):** A pre-authentication Denial-of-Service (DoS) vulnerability affecting both client and server components stems from improper handling of CPU and memory resources during SSH key exchanges when processing `SSH2_MSG_PING` packets, leading to resource exhaustion.
## Exploitation
- Status: Not specified if exploited in the wild, but PoC is likely as researchers discovered them.
- Complexity: Not explicitly detailed, but MitM suggests medium to high complexity depending on the execution context. DoS appears simpler via crafted packets.
- Attack Vector: Network (for both MitM and DoS)
## Impact
- Confidentiality: High (for successful MitM exploitation by impersonating a server)
- Integrity: High (for successful MitM exploitation)
- Availability: High (due to DoS resource exhaustion)
## Remediation
### Patches
- OpenSSH version 9.9p2 addresses and resolves both CVE-2025-26465 and CVE-2025-26466.
### Workarounds
1. **Upgrade immediately:** Update OpenSSH installations to version 9.9p2.
2. **Audit configurations (CVE-2025-26465):** Review and disable the `VerifyHostKeyDNS` feature if it is enabled in client environments.
3. **Restrict resources (CVE-2025-26466):** On servers, ensure settings like `LoginGraceTime` and `MaxStartups` are configured appropriately to limit the impact of pre-authentication resource exhaustion attacks.
## Detection
Specific Indicators of Compromise (IOCs) are not detailed, but general detection should focus on:
- Monitoring for unexpected `SSH2_MSG_PING` traffic patterns leading to high CPU/memory usage on the SSH daemon.
- Auditing SSH client configurations for the presence of the `VerifyHostKeyDNS` setting.
## References
- Vendor advisories: OpenSSH Release Notes (links to hxxps://www.openssh.com/releasenotes.html#9.9p2)
- Relevant links: Information cited from Infosecurity Magazine (hxxps://www.infosecurity-magazine.com/news/openssh-flaws-expose-systems/)