[German]Security experts from Qualys TRU have discovered two vulnerabilities in the OpenSSH software. In addition, an advisory on another vulnerability was published on February 11, 2024. OpenSSL 3.4, 3.3 and 3.2 are affected by this vulnerability, although upgrades to newer OpenSSL versions are available.
Advertising
What is OpenSSH?
OpenSSH is a free and open-source implementation of the Secure Shell (SSH) protocol that enables encrypted communication over insecure networks and allows file transfer. It is widely used in Unix-like systems (including Linux and macOS) and many modern operating systems and replaces plain text protocols such as Telnet and FTP with secure remote login, file transfer, port forwarding and tunneling. The program package uses Secure Shell including SSH File Transfer Protocol and includes clients, utilities and a server.
Vulnerability CVE-2024-12797 in OpenSSH
The security advisory OpenSSL: RFC7250 handshakes with unauthenticated servers don't abort as expected (CVE-2024-12797) was published on Openwall on February 11, 2025.
Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a server may not realize that the server has not been authenticated because handshakes are not aborted as expected when SSL_VERIFY_PEER verification mode is set.
TLS and DTLS connections that use Raw Public Keys (RPKs) can be vulnerable to man-in-middle attacks if server authentication is not recognized by the clients. RPKs are disabled by default in both TLS clients and TLS servers. The problem only occurs when TLS clients explicitly enable the use of RPKs by the server and the server also uses the sending of an RPK instead of an X.509 certificate chain. The affected clients are those who then rely on the handshake failing if the server's RPK does not match one of the expected public keys by setting the verification mode to SSL_VERIFY_PEER, according to the security advisory.
Clients that enable server-side RPKs can still find out that the key verification failed by calling SSL_get_verify_result() and take appropriate action. This issue was introduced into the code in the original implementation of RPK support in OpenSSL 3.2. This issue was reported by Apple Inc. on December 18, 2024.
Advertising
Affected by this vulnerability are OpenSSL versions 3.4, 3.3 and 3.2. Not affected are OpenSSL 3.1, 3.0, 1.1.1 and 1.0.2 and the FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0. However, updates are available:
- Users of OpenSSL 3.4 should upgrade to OpenSSL 3.4.1
- Users of OpenSSL 3.3 should upgrade to OpenSSL 3.3.2
- Users of OpenSSL 3.2 should upgrade to OpenSSL 3.2.4
The fix was developed by Viktor Dukhovni. The advisory can be viewed as a text version here. Hunter points out the vulnerability in the following post from February 12, 2025 and that over 71 million OpenSSH services were found.
OpenSSH vulnerabilities CVE-2025-26465 & CVE-2025-26466
The Qualys Threat Research Unit (TRU) has discovered the two vulnerabilities CVE-2025-26465 and CVE-2025-26466 in OpenSSH.
- CVE-2025-26465 allows an active man-in-the-middle attack on the OpenSSH client if the VerifyHostKeyDNS option is enabled.
- CVE-2025-26466 affects both the OpenSSH client and the server and enables a denial of service attack before authentication.
The attack on the OpenSSH client (CVE-2025-26465) is successful regardless of whether the VerifyHostKeyDNS option is set to "yes" or "ask" (the default is "no"), requires no user interaction and does not depend on the existence of an SSHFP resource record (an SSH fingerprint) in the DNS.
VerifyHostKeyDNS is an OpenSSH client configuration option that allows the SSH client to lookup and verify the host key of a server based on DNS records (especially SSHFP records).
The vulnerability was disclosed in December 2014 shortly before the release of OpenSSH 6.8p1. Although VerifyHostKeyDNS is disabled by default, it was enabled by default on FreeBSD from September 2013 to March 2023.
The OpenSSH client and server are vulnerable (CVE-2025-26466) to a pre-authentication denial of service attack – an asymmetric use of memory and CPU resources – that was introduced in August 2023 (shortly before the release of OpenSSH 9.5p1). On the server side, this attack can be mitigated by using existing mechanisms in OpenSSH, such as LoginGraceTime, MaxStartups and the newer PerSourcePenalties. The following OpenSSH versions are affected:
- OpenSSH versions from 6.8p1 to 9.9p1 are vulnerable to the vulnerability CVE-2025-2646, which became known in December 2014.
- OpenSSH versions 9.5p1 to 9.9p1 are vulnerable to the vulnerability CVE-2025-26466 disclosed in August 2023
OpenSSH 9.9p2 fixes the above vulnerabilities. To ensure continued security, it is strongly recommended to update affected systems to 9.9p2 as soon as possible.
Advertising
