OpenSSH addressed a new pre-auth double free vulnerability

The maintainers of OpenSSH address multiple security issues, including a memory safety bug in the OpenSSH server (sshd).

The maintainers of OpenSSH have addressed a number of security vulnerabilities with the release of version 9.2.

One of the issues addressed by the maintainers is a memory safety bug in the OpenSSH server (sshd) tracked as CVE-2023-25136.

The vulnerability can be potentially exploited by a remote attacker to execute arbitrary code on the target system. The root cause of the flaw is a boundary error within the sshd(8) daemon.

“A remote non-authenticated attacker can send specially crafted data to the application, trigger a double free error and execute arbitrary code on the target system.” reads the advisory.

The pre-authentication double-free memory fault was introduced in the release OpenSSH 9.1. The release note published by the maintainers pointed out that this issue is not believed to be exploitable.

“OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be triggered by an unauthenticated attacker in the default configuration; however, the vulnerability discoverer reports that “exploiting this vulnerability will not be easy.”” reads the description for this vulnerability.

The vendor believes exploitation of this vulnerability has limitations.

“This is not believed to be exploitable, and it occurs in the unprivileged pre-auth process that is subject to chroot(2) and is further sandboxed on most major platforms.” reads the release note.

The flaw was reported to OpenSSH in July 2022 by the researcher Mantas Mikulenas.

“The exposure occurs in the chunk of memory freed twice, the “options.kex_algorithms”. The first time it was freed was via do_ssh2_kex(), which calls compat_kex_proposal(). In the case where the compatibility bit “SSH_BUG_CURVE25519PAD” is not set and the compatibility bit “SSH_OLD_DHGEX” is set, “options.kex_algorithms” becomes a dangling pointer after being freed. This results in the memory being freed a second time via kex_assemble_names() with “listp” equal to “&options.kex_algorithms”.” reads the post published by Qualys. 

Users are recommended to update to OpenSSH 9.2 to address the issues fixed with this release.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, encryption)