OpenSSH addressed a new pre-auth double free vulnerability

The maintainers of OpenSSH address multiple security issues, including a memory safety bug in the OpenSSH server (sshd).

The maintainers of OpenSSH have addressed a number of security vulnerabilities with the release of version 9.2.

One of the issues addressed by the maintainers is a memory safety bug in the OpenSSH server (sshd) tracked as CVE-2023-25136.

The vulnerability can be potentially exploited by a remote attacker to execute arbitrary code on the target system. The root cause of the flaw is a boundary error within the sshd(8) daemon.

“A remote non-authenticated attacker can send specially crafted data to the application, trigger a double free error and execute arbitrary code on the target system.” reads the advisory.

The pre-authentication double-free memory fault was introduced in the release OpenSSH 9.1. The release note published by the maintainers pointed out that this issue is not believed to be exploitable.

“OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be triggered by an unauthenticated attacker in the default configuration; however, the vulnerability discoverer reports that “exploiting this vulnerability will not be easy.”” reads the description for this vulnerability.

The vendor believes exploitation of this vulnerability has limitations.

“This is not believed to be exploitable, and it occurs in the unprivileged pre-auth process that is subject to chroot(2) and is further sandboxed on most major platforms.” reads the release note.

The flaw was reported to OpenSSH in July 2022 by the researcher Mantas Mikulenas.

“The exposure occurs in the chunk of memory freed twice, the “options.kex_algorithms”. The first time it was freed was via do_ssh2_kex(), which calls compat_kex_proposal(). In the case where the compatibility bit “SSH_BUG_CURVE25519PAD” is not set and the compatibility bit “SSH_OLD_DHGEX” is set, “options.kex_algorithms” becomes a dangling pointer after being freed. This results in the memory being freed a second time via kex_assemble_names() with “listp” equal to “&options.kex_algorithms”.” reads the post published by Qualys.

Users are recommended to update to OpenSSH 9.2 to address the issues fixed with this release.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, encryption)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.