From https://marc.info/?l=oss-security&m=173986993304277&w=2: ``` CVE-2025-26465: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client CVE-2025-26466: DoS attack against OpenSSH's client and server [...] We discovered two vulnerabilities in OpenSSH: - The OpenSSH client is vulnerable to an active machine-in-the-middle attack if the VerifyHostKeyDNS option is enabled (it is disabled by default): when a vulnerable client connects to a server, an active machine-in-the-middle can impersonate the server by completely bypassing the client's checks of the server's identity. This attack against the OpenSSH client succeeds whether VerifyHostKeyDNS is "yes" or "ask" (it is "no" by default), without user interaction, and whether the impersonated server actually has an SSHFP resource record or not (an SSH fingerprint stored in DNS). This vulnerability was introduced in December 2014 (shortly before OpenSSH 6.8p1) by commit 5e39a49 ("Add RevokedHostKeys option for the client to allow text-file or KRL-based revocation of host keys"). For more information on VerifyHostKeyDNS: https://man.openbsd.org/ssh_config#VerifyHostKeyDNS https://man.openbsd.org/ssh#VERIFYING_HOST_KEYS Note: although VerifyHostKeyDNS is disabled by default, it was enabled by default on FreeBSD (for example) from September 2013 to March 2023; for more information: https://cgit.freebsd.org/src/commit/?id=83c6a52 https://cgit.freebsd.org/src/commit/?id=41ff5ea - The OpenSSH client and server are vulnerable to a pre-authentication denial-of-service attack: an asymmetric resource consumption of both memory and CPU. This vulnerability was introduced in August 2023 (shortly before OpenSSH 9.5p1) by commit dce6d80 ("Introduce a transport-level ping facility"). On the server side, this attack can be easily mitigated by mechanisms that are already built in OpenSSH: LoginGraceTime, MaxStartups, and more recently (OpenSSH 9.8p1 and newer) PerSourcePenalties; for more information: https://man.openbsd.org/sshd_config#LoginGraceTime https://man.openbsd.org/sshd_config#MaxStartups https://man.openbsd.org/sshd_config#PerSourcePenalties ``` Qualys advisory: https://www.qualys.com/2025/02/18/openssh-mitm-dos.txt
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aa145683cb5792a032209c3d7620ea5440edb1d8 commit aa145683cb5792a032209c3d7620ea5440edb1d8 Author: Sam James <sam@gentoo.org> AuthorDate: 2025-02-18 12:38:45 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2025-02-18 12:38:45 +0000 net-misc/openssh: add 9.9_p2 Bug: https://bugs.gentoo.org/949904 Signed-off-by: Sam James <sam@gentoo.org> net-misc/openssh/Manifest | 2 + net-misc/openssh/openssh-9.9_p2.ebuild | 442 +++++++++++++++++++++++++++++++++ 2 files changed, 444 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=63a2f7c864a9645cc635ef4b997fae8953742475 commit 63a2f7c864a9645cc635ef4b997fae8953742475 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2025-02-18 23:20:42 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2025-02-18 23:21:01 +0000 [ GLSA 202502-01 ] OpenSSH: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/949904 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202502-01.xml | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+)
