The maintainers of OpenSSH have addressed a number of security vulnerabilities with the release of version 9.2.
One of the issues addressed by the maintainers is a memory safety bug in the OpenSSH server (sshd) tracked as CVE-2023-25136.
The vulnerability can be potentially exploited by a remote attacker to execute arbitrary code on the target system. The root cause of the flaw is a boundary error within the sshd(8) daemon.
“A remote non-authenticated attacker can send specially crafted data to the application, trigger a double free error and execute arbitrary code on the target system.” reads the advisory.
The pre-authentication double-free memory fault was introduced in the release OpenSSH 9.1. The release note published by the maintainers pointed out that this issue is not believed to be exploitable.
“OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be triggered by an unauthenticated attacker in the default configuration; however, the vulnerability discoverer reports that “exploiting this vulnerability will not be easy.”” reads the description for this vulnerability.
The vendor believes exploitation of this vulnerability has limitations.
“This is not believed to be exploitable, and it occurs in the unprivileged pre-auth process that is subject to chroot(2) and is further sandboxed on most major platforms.” reads the release note.
The flaw was reported to OpenSSH in July 2022 by the researcher Mantas Mikulenas.
“The exposure occurs in the chunk of memory freed twice, the “options.kex_algorithms”. The first time it was freed was via do_ssh2_kex(), which calls compat_kex_proposal(). In the case where the compatibility bit “SSH_BUG_CURVE25519PAD” is not set and the compatibility bit “SSH_OLD_DHGEX” is set, “options.kex_algorithms” becomes a dangling pointer after being freed. This results in the memory being freed a second time via kex_assemble_names() with “listp” equal to “&options.kex_algorithms”.” reads the post published by Qualys.
Users are recommended to update to OpenSSH 9.2 to address the issues fixed with this release.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, encryption)
Nation-state actor UAT4356 has been exploiting two zero-days in ASA and FTD firewalls since November…
A malware campaign has been exploiting the updating mechanism of the eScan antivirus to distribute…
The Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned four Iranian nationals for their…
A cyber attack on Leicester City Council resulted in certain street lights remaining illuminated all…
The National Police Agency in South Korea warns that North Korea-linked threat actors are targeting…
The U.S. Department of State imposed visa restrictions on 13 individuals allegedly linked to the…
This website uses cookies.