CVE-2025-26465
📋 TL;DR
This OpenSSH vulnerability allows machine-in-the-middle attacks when VerifyHostKeyDNS is enabled. Attackers can impersonate legitimate servers by exploiting error code mishandling during host key verification. Systems using OpenSSH with VerifyHostKeyDNS enabled are affected.
💻 Affected Systems
- OpenSSH
📦 What is this software?
Ontap by Netapp
Openssh by Openbsd
Openssh by Openbsd
Openssh by Openbsd
Openssh by Openbsd
⚠️ Risk & Real-World Impact
Worst Case
Successful MITM attack leading to credential theft, data interception, and unauthorized access to SSH connections
Likely Case
Limited exploitation due to high attack complexity requiring memory exhaustion first, but potential targeted attacks against high-value targets
If Mitigated
Minimal impact with proper network segmentation, monitoring, and VerifyHostKeyDNS disabled
🎯 Exploit Status
Attack requires memory exhaustion first, making exploitation complex and resource-intensive for attackers
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check distribution-specific updates (e.g., OpenSSH 9.8p1 or later for many distributions)
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2025-26465
Restart Required: No
Instructions:
1. Update OpenSSH using your distribution's package manager. 2. For RHEL: 'sudo yum update openssh'. 3. For Debian/Ubuntu: 'sudo apt update && sudo apt upgrade openssh-client openssh-server'. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable VerifyHostKeyDNS
linuxDisables DNS-based host key verification, eliminating the vulnerability vector
echo 'VerifyHostKeyDNS no' >> /etc/ssh/ssh_config
echo 'VerifyHostKeyDNS no' >> ~/.ssh/config
🧯 If You Can't Patch
- Disable VerifyHostKeyDNS option in all SSH configurations
- Implement strict network controls and monitor for unusual SSH connection patterns
🔍 How to Verify
Check if Vulnerable:
Check if VerifyHostKeyDNS is enabled: grep -r 'VerifyHostKeyDNS' /etc/ssh/ ~/.ssh/Check Version:
ssh -VVerify Fix Applied:
Check OpenSSH version: ssh -V 2>&1 | grep -o 'OpenSSH_[0-9.]*' and compare with patched version for your distribution📡 Detection & Monitoring
Log Indicators:
- Multiple failed SSH connections with memory exhaustion warnings
- Unusual SSH host key verification failures
Network Indicators:
- Unexpected SSH connection attempts to internal systems
- DNS queries for SSH host key verification followed by connection failures
SIEM Query:
source="ssh" AND ("VerifyHostKeyDNS" OR "memory" OR "exhaust")🔗 References
- https://access.redhat.com/errata/RHSA-2025:16823
- https://access.redhat.com/errata/RHSA-2025:3837
- https://access.redhat.com/errata/RHSA-2025:6993
- https://access.redhat.com/errata/RHSA-2025:8385
- https://access.redhat.com/security/cve/CVE-2025-26465
- https://access.redhat.com/solutions/7109879
- https://bugzilla.redhat.com/show_bug.cgi?id=2344780
- https://seclists.org/oss-sec/2025/q1/144
- http://seclists.org/fulldisclosure/2025/Feb/18
- http://seclists.org/fulldisclosure/2025/May/7
- http://seclists.org/fulldisclosure/2025/May/8
- https://blog.qualys.com/vulnerabilities-threat-research/2025/02/18/qualys-tru-discovers-two-vulnerabilities-in-openssh-cve-2025-26465-cve-2025-26466
- https://bugzilla.suse.com/show_bug.cgi?id=1237040
- https://ftp.openbsd.org/pub/OpenBSD/patches/7.6/common/008_ssh.patch.sig
- https://lists.debian.org/debian-lts-announce/2025/02/msg00020.html
- https://lists.mindrot.org/pipermail/openssh-unix-announce/2025-February/000161.html
- https://security-tracker.debian.org/tracker/CVE-2025-26465
- https://security.netapp.com/advisory/ntap-20250228-0003/
- https://ubuntu.com/security/CVE-2025-26465
- https://www.openssh.com/releasenotes.html#9.9p2
- https://www.openwall.com/lists/oss-security/2025/02/18/1
- https://www.openwall.com/lists/oss-security/2025/02/18/4
- https://www.theregister.com/2025/02/18/openssh_vulnerabilities_mitm_dos/
- https://www.vicarius.io/vsociety/posts/cve-2025-26465-detect-vulnerable-openssh
- https://www.vicarius.io/vsociety/posts/cve-2025-26465-mitigate-vulnerable-openssh
- https://seclists.org/oss-sec/2025/q1/144
