OpenSSH addressed a new pre-auth double free vulnerability

The
maintainers
of
OpenSSH
address
multiple
security
issues,
including
a
memory
safety
bug
in
the
OpenSSH
server
(sshd).

The
maintainers
of

OpenSSH
have
addressed
a
number
of
security
vulnerabilities
with
the
release
of
version
9.2.

One
of
the
issues
addressed
by
the
maintainers
is
a
memory
safety
bug
in
the
OpenSSH
server
(sshd)
tracked
as

CVE-2023-25136.

The
vulnerability
can
be
potentially
exploited
by
a
remote
attacker
to
execute
arbitrary
code
on
the
target
system.
The
root
cause
of
the
flaw
is
a
boundary
error
within
the
sshd(8)
daemon.

“A
remote
non-authenticated
attacker
can
send specially
crafted
data
to
the
application,
trigger
a
double
free
error
and
execute
arbitrary
code
on
the
target
system.”


reads
the
advisory.

The
pre-authentication
double-free
memory
fault
was
introduced
in
the
release
OpenSSH
9.1.
The
release
note
published
by
the
maintainers
pointed
out
that
this
issue
is
not
believed
to
be
exploitable.

“OpenSSH
server
(sshd)
9.1
introduced
a
double-free
vulnerability
during
options.kex_algorithms
handling.
This
is
fixed
in
OpenSSH
9.2.
The
double
free
can
be
triggered
by
an
unauthenticated
attacker
in
the
default
configuration;
however,
the
vulnerability
discoverer
reports
that
“exploiting
this
vulnerability
will
not
be
easy.””
reads
the


description
for
this
vulnerability.

The
vendor
believes
exploitation
of
this
vulnerability
has
limitations.

“This
is
not
believed
to
be
exploitable,
and
it
occurs
in
the
unprivileged
pre-auth
process
that
is
subject
to
chroot(2)
and
is
further
sandboxed
on
most
major
platforms.”
reads
the

release
note.

The
flaw
was

reported
to
OpenSSH
in
July
2022
by
the
researcher
Mantas
Mikulenas.

“The
exposure
occurs
in
the
chunk
of
memory
freed
twice,
the
“options.kex_algorithms”.
The
first
time
it
was
freed
was
via
do_ssh2_kex(),
which
calls
compat_kex_proposal().
In
the
case
where
the
compatibility
bit
“SSH_BUG_CURVE25519PAD”
is
not
set
and
the
compatibility
bit
“SSH_OLD_DHGEX”
is
set,
“options.kex_algorithms”
becomes
a
dangling
pointer
after
being
freed.
This
results
in
the
memory
being
freed
a
second
time
via
kex_assemble_names()
with
“listp”
equal
to
“&options.kex_algorithms”.”


reads
the
post
published
by
Qualys. 

Users
are
recommended
to
update
to
OpenSSH
9.2
to
address
the
issues
fixed
with
this
release.

Follow
me
on
Twitter:


@securityaffairs
and


Facebook
and


Mastodon

Pierluigi Paganini

(SecurityAffairs –

hacking,
encryption)

Share
On

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts