Conversation

Notices

1. Embed this notice
   Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 19-Feb-2025 18:07:04 JST Kevin Beaumont

   Qualys dropped another two OpenSSH vulns this week - CVE-2025-26465 & CVE-2025-26466

   I don’t think either are bad, you should keep calm and patch as per usual.

   The first one needs a non-default config, and PoC for the second also uses a non-default config. Neither are RCE and I doubt will ever see in the wild exploitation.

   Blog: https://blog.qualys.com/vulnerabilities-threat-research/2025/02/18/qualys-tru-discovers-two-vulnerabilities-in-openssh-cve-2025-26465-cve-2025-26466

   Proof of concept: https://www.qualys.com/2025/02/18/openssh-mitm-dos.txt

   • Embed this notice
     David Wong (david_wong@cyberplace.social)'s status on Wednesday, 19-Feb-2025 21:30:09 JST David Wong

     in reply to

     @GossiTheDog All FreeBSD distros arent vulnerable by default, so PFSense, OPNSense and others are fine, but what about previous distros with ` VerifyHostKeyDNS ` set to "yes" ?

   • Embed this notice
     Stanislav Ochotnický (drizzy@cyberplace.social)'s status on Thursday, 20-Feb-2025 06:45:08 JST Stanislav Ochotnický

     in reply to

     @GossiTheDog I sort of wonder why anyone would expose their ssh to the internet these days instead of putting it behind wireguard or other VPN. Then again I also wonder what's the point of all those insecure enterprise firewall products ...