Critical SSLH Vulnerabilities Allow Hackers to Launch Remote DoS Attacks

A two critical vulnerabilities in sslh, a popular protocol demultiplexer that allows multiple services to share the same network port.

The vulnerabilities , disclosed on June 13, 2025, could enable remote attackers to trigger denial-of-service (DoS) conditions, potentially crashing servers and disrupting services.

The vulnerabilities affect sslh versions prior to v2.2.4, which contains patches for both issues.

The first vulnerability (CVE-2025-46807) affects the sslh-select and sslh-ev implementations, which fail to properly handle file descriptor exhaustion scenarios.

Researchers found that when handling UDP connections, sslh only checks timeouts during network activity, allowing connection descriptors to remain open indefinitely.

An attacker can exploit this by creating numerous UDP sessions until the default limit of 1024 file descriptors is reached.

“When the file descriptor limit is encountered, sslh crashes with a segmentation fault, as it attempts to dereference new_cnx, which is a NULL pointer in this case,” the report states.

Researchers demonstrated the vulnerability by testing the OpenVPN probe configured for UDP, sending multiple connections with a single 0x08 byte.

The issue has been fixed in commit ff8206f7c, included in the v2.2.4 release, though researchers note that UDP sockets may still remain open longer than necessary.

Critical SSLH Vulnerabilities

The second critical vulnerability (CVE-2025-46806) involves misaligned memory accesses in the OpenVPN protocol probe.

The bug occurs in the UDP code path of is_openvpn_protocol() where the code attempts to dereference a uint32_t* pointer to memory located 25 bytes after the start of the heap-allocated network buffer.

While this issue might not cause problems on x86_64 architectures, it triggers SIGBUS errors on platforms like ARM, creating an effective remote DoS attack vector.

Researchers reproduced the vulnerability by sending a sequence of at least 29 0x08 bytes, which triggered alignment errors.

The fix, implemented in commit 204305a88fb3, uses memcpy() to safely copy integer data into a local stack variable instead of directly dereferencing pointers into raw network data.

Mitigations

Beyond the two critical vulnerabilities, researchers identified several non-security-critical issues, including improper handling of short reads in TCP streams and potential false positive protocol detection.

The team noted that sslh is generally “in good shape” with limited attack surface and default hardenings in place.

For administrators running sslh in production environments, immediate updates to version 2.2.4 are recommended.

Users concerned about more complex DoS attacks should “consider customizing their setup to enforce resource consumption limits on operating system level,” according to the report.

The vulnerabilities were privately reported to sslh’s author on April 25, 2025, with fixes developed throughout May.

The patched version 2.2.4 was released on May 28, 2025, approximately two weeks before public disclosure.

Sslh is commonly used to serve multiple protocols (such as SSL and SSH) on the same port, making it a popular tool for bypassing corporate firewall restrictions by routing various services through port 443.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.