OpenSSH faces two new security holes, potentially high risk causing information security
Overview
Security researchers have just discovered a serious vulnerability in OpenSSH that can be exploited to carry out Man-in-the-Middle (MitM) and Denial of Service (DoS) attacks. This is a major issue because OpenSSH is one of the most widely used secure communication tools on the internet, commonly used in Linux, macOS, and some Windows systems.
According to Qualys TRU (Threat Research Unit) - a Threat Research Unit of Qualys, two vulnerabilities related to this attack campaign have been identified:
CVE-2025-26465: This vulnerability allows attackers to perform Man-in-the-Middle (MitM) attacks by impersonating a legitimate server.
CVE-2025-26466: This vulnerability allows for Denial of Service (DoS) attacks before authentication.
Introduction to the Vulnerability
CVE-2025-26465: Machine-in-the-Middle (MITM) Attack on OpenSSH Client
Severity: High
Impact: Attackers can steal data and hijack SSH sessions without user interaction.
Exploitation conditions:
When the VerifyHostKeyDNS option is enabled (default is off, but it can be activated in some configurations, especially on FreeBSD).
No need for SSHFP resource records in DNS.
CVE-2025-26466: Denial of Service (DoS) Attack on Both Client & Server
Severity: High
Impact:
Pre-authentication DoS attack, causing the system to consume resources (RAM, CPU), disrupting SSH services.
May prevent administrators from logging in, halting critical operations.
Affected Versions
OpenSSH versions 6.8p1 to 9.9p1
OpenSSH versions 9.5p1 to 9.9p1
Vulnerability Analysis
CVE-2025-26465
Man-in-the-Middle (MitM) attack is a technique where an attacker inserts themselves between the connection of a client and a server to steal information or impersonate identities. In OpenSSH, MitM can occur if server key authentication is not done correctly.
Initially, for attackers to exploit this vulnerability, the VerifyHostKeyDNS option must be enabled. Specifically, the function
sshkey_to_base64().
This Base64 code is responsible for converting an SSH key into Base64 format, which may relate to CVE-2025-26465 if it mishandles data during server key verification.
The variable
ris initially set toSSH_ERR_INTERNAL_ERROR, but if there's an error insshkey_putb()orsshbuf_dtob64_string(), the function willgoto outwithout freeing memory.If
sshbuf_dtob64_string()fails (NULL), it returnsSSH_ERR_ALLOC_FAIL, but it may not handle all exception cases.
If an attacker can control the value passed into
sshkey_to_base64(), they can exploit this flaw to corrupt memory or cause data leaks in OpenSSH.Ultimately, once the exploit is successful, attackers can steal credentials and take control of the session.
CVE-2025-26466
The vulnerability CVE-2025-26466 in OpenSSH allows attackers to perform a denial-of-service (DoS) attack before authentication by exploiting asymmetric resource consumption of memory and CPU.
Initially, attackers exploit CVE-2025-26466 by sending a series of
SSH2_MSG_PINGpackets to the server. Each packet causes the server to create anSSH2_MSG_PONGpacket and store it in memory before sending it.By continuously sending requests, and if the number of
PINGpackets is large enough, the server's memory can be exhausted, leading to a denial of service.Besides consuming the victim's system memory, attackers also target the CPU.
After completing the key exchange process, the server processes the stored
SSH2_MSG_PONGpackets. This is done inefficiently, leading to a spike in CPU usage when handling a large number of packets, causing service disruption.
Signs to Recognize
Signs to Recognize CVE-2025-26465 Attack
Unusual SSH Connection:
Detect SSH connections coming from unknown IP addresses or those not on the trusted list.
Sudden spikes in SSH traffic or traffic appearing at unusual times.
Server Key Authentication Warning:
The SSH client shows a warning about a server key change when connecting to a familiar server.
Notifications about server key mismatches or requests to re-confirm the server key.
Suspicious Network Traffic:
Detect network traffic that appears to be blocked or redirected through unidentified intermediary devices.
The presence of unusual or unexpected packets during the SSH connection setup process.
Signs to Recognize CVE-2025-26466 Attack
Unusual use of system resources:
Detect sudden spikes in CPU and memory usage on the OpenSSH server without a clear reason.
The system becomes slow or unresponsive due to excessive resource consumption.
Suspicious Network Traffic:
A large number of
SSH2_MSG_PINGpackets appear from one or more unknown IP addresses, sent to the server in a short period of time.A sudden spike in SSH traffic without a corresponding increase in legitimate activity.
SSH Service Incident:
The SSH service frequently experiences issues, restarts, or stops working without a clear reason.
Administrators have difficulty connecting to or managing the server through SSH due to the unstable service.
Recommendations
CVE-2025-26465 - Man-in-the-Middle Attack
Update to OpenSSH 9.9p2 or later.
Disable
VerifyHostKeyDNSif it's not really necessary.Use manual SSH fingerprint to verify the server.
CVE-2025-26466 - Denial of Service Attack
Update to OpenSSH 9.9p2 or later.
Configure SSH connection limits using
MaxStartups,LoginGraceTime,PerSourcePenalties.Monitor SSH traffic to detect unusual behavior.
Conclusion
Security researchers have discovered two critical vulnerabilities in OpenSSH, allowing attackers to perform Man-in-the-Middle (MitM) and Denial of Service (DoS) attacks. These vulnerabilities pose serious risks to public SSH servers and systems using OpenSSH. Updating to the latest version and applying security measures will help reduce the risk of attacks.
