CVE-2023-25136 — Double Free in Openssh

CWE-415 — Double Free CWE-401 — Missing Release of Memory after Effective Lifetime11 documents10 sources

Severity

6.5MEDIUMNVD

EPSS

88.3%

top 0.50%

CISA KEV

Not in KEV

Exploit

Exploited in wild

Active exploitation observed

Affected products

Openbsd Openssh Fedoraproject Fedora

Timeline

PublishedFeb 3

Latest updateApr 15

Description

OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states "remote code execution is theoretically possible."

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:HExploitability: 2.2 | Impact: 4.2

Affected Packages2 packages

▶Debianopenbsd/openssh< 1:9.2p1-1+2

▶NVDopenbsd/openssh9.1

Also affects: Fedora 37, 38

Patches

Patch: ftp.openbsd.org ↗Patch: github.com ↗Patch: ftp.openbsd.org ↗

🔴Vulnerability Details

GHSA

GHSA-w62j-g234-3f6f: OpenSSH server (sshd) 9↗2023-02-03

▶

CVEList

CVE-2023-25136: OpenSSH server (sshd) 9↗2023-02-03

▶

OSV

CVE-2023-25136: OpenSSH server (sshd) 9↗2023-02-03

▶

📋Vendor Advisories

Oracle

Oracle Oracle HealthCare Applications Risk Matrix: DataStudio (OpenSSH) — CVE-2023-25136↗2023-04-15

▶

BSD

FreeBSD-SA-23:02.openssh: OpenSSH pre-authentication double free↗2023-02-16

▶

Microsoft

▶

Red Hat

openssh: the functions order_hostkeyalgs() and list_hostkey_types() leads to double-free vulnerability↗2023-02-03

▶

Debian

CVE-2023-25136: openssh - OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options....↗2023

▶

🕵️Threat Intelligence

Qualys

CVE-2023-25136: Pre-Auth Double Free Vulnerability in OpenSSH Server 9.1 | Qualys↗2023-02-03

▶