INSIGHT Support Advisory: OpenSSH: CVE-2025-26465 & CVE-2025-26466 Vulnerability Statement

Avatar
Agyeman Danso
Follow

March 18, 2025


RE: OpenSSH: CVE-2025-26465 & CVE-2025-26466 Vulnerability and Implications for INSIGHT DLP Appliances


Dear INSIGHT Appliance Customer:

As you may be aware, in late February 2025, researchers identified critical vulnerabilities with OpenSSH. CVE-2025-26465 and CVE-2025-26466.

 

CVE-2025-26465 is a vulnerability found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.

 

Affected OpenSSH versions:

  • OpenSSH versions from 6.8p1 through 9.9p1 are vulnerable to CVE-2025-26465, the flaw introduced in December 2014.

 

CVE-2025-26466 is a flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become unavailable, resulting in a denial of service attack.

 

Affected OpenSSH versions:

  • OpenSSH versions 9.5p1 through 9.9p1 are vulnerable to CVE-2025-26466, the flaw introduced in August 2023.

 

The INSIGHT Development and Security teams have investigated these vulnerabilities and their potential impact on INSIGHT Appliances, Symantec Data Loss Prevention (DLP), and the Oracle Database. The INSIGHT Appliances, Symantec DLP, and the Oracle Database do not utilize/enable VerifyHostKeyDNS by default, and utilize versions of OpenSSH not affected by CVE-2025-26466. Please note that these vulnerability/exploits do not affect or impact the INSIGHT Appliances, Symantec DLP, and the Oracle Database.

 

IDACT 3.x uses openssh-7.4p1-x

IDACT 4.x uses openssh-8.0p1-x

 

============================================================

Additional articles for your reference:

https://blog.qualys.com/vulnerabilities-threat-research/2025/02/18/qualys-tru-discovers-two-vulnerabilities-in-openssh-cve-2025-26465-cve-2025-26466

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Article is closed for comments.