CVE-2023-25136
published 2023-02-03CVE-2023-25136: OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be…
PriorityP262medium6.5CVSS 3.1
AVNACHPRNUINSUCNILAH
ITW
Exploited in the wild
EPSS
89.95%
99.8th percentile
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states "remote code execution is theoretically possible."
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | openssh | < openssh 1:9.2p1-1 (bookworm) | openssh 1:9.2p1-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| msrc | cbl2_openssh_8.9p1-8_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_openssh_8.9p1-3_on_cbl_mariner_1.0 | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | >= 0 < 1:9.2p1-1 | 1:9.2p1-1 |
| openbsd | openssh | >= 0 < 1:9.2p1-1 | 1:9.2p1-1 |
| openbsd | openssh | >= 0 < 1:9.2p1-1 | 1:9.2p1-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor sshd stderr/logs for 'free(): double free detected in tcache 2' error message, which indicates exploitation attempt of CVE-2023-25136 ↗
- →Monitor for ssh_sandbox_violation events triggered by unexpected system calls (seccomp SIGSYS) in the unprivileged sshd process, which may indicate double-free exploitation ↗
- →Vulnerability is only present in OpenSSH sshd version 9.1 (specifically 9.1p1); flag any systems running this exact version as affected ↗
- →The double-free occurs pre-authentication via the kex_algorithms negotiation path; anomalous or malformed KEX_INIT packets from unauthenticated clients should be flagged ↗
- →Qualys detection: QID 38888 (IP scanning signature VULNSIGS-2.5.692-3) can be used to identify vulnerable OpenSSH 9.1 instances ↗
- ·Modern memory allocators and sshd privilege separation/sandboxing significantly raise the bar for reliable exploitation beyond denial-of-service ↗
- ·FreeBSD 12.3 and 13.1 ship older OpenSSH versions and are NOT affected; only FreeBSD 12.4 (which ships OpenSSH 9.1) is affected ↗
- ·Red Hat Enterprise Linux 6, 7, and 8 are all listed as Not Affected, as they ship older OpenSSH versions ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_msrc6.5MEDIUM
vendor_oracle6.5MEDIUM
vendor_redhat6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w62j-g234-3f6f: OpenSSH server (sshd) 9
ghsa_unreviewed·2023-02-03
CVE-2023-25136 [CRITICAL] CWE-415 GHSA-w62j-g234-3f6f: OpenSSH server (sshd) 9
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be triggered by an unauthenticated attacker in the default configuration; however, the vulnerability discoverer reports that "exploiting this vulnerability will not be easy."
OSV
CVE-2023-25136: OpenSSH server (sshd) 9
osv·2023-02-03·CVSS 6.5
CVE-2023-25136 [MEDIUM] CVE-2023-25136: OpenSSH server (sshd) 9
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states "remote code execution is theoretically possible."
Oracle
Oracle Oracle HealthCare Applications Risk Matrix: DataStudio (OpenSSH) — CVE-2023-25136
vendor_oracle·2023-04-15·CVSS 6.5
CVE-2023-25136 [MEDIUM] Oracle Oracle HealthCare Applications Risk Matrix: DataStudio (OpenSSH) — CVE-2023-25136
Oracle Oracle HealthCare Applications Risk Matrix: DataStudio (OpenSSH) vulnerability
CVE: CVE-2023-25136
CVSS: 6.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuapr2023 (APR 2023)
BSD
FreeBSD-SA-23:02.openssh: OpenSSH pre-authentication double free
bsd_advisories·2023-02-16·CVSS 6.5
CVE-2023-25136 [MEDIUM] FreeBSD-SA-23:02.openssh: OpenSSH pre-authentication double free
FreeBSD-SA-23:02.openssh Security Advisory
The FreeBSD Project
Topic: OpenSSH pre-authentication double free
Category: contrib
Module: openssh
Announced: 2023-02-16
Credits: Mantas Mikulenas
Affects: FreeBSD 12.4
Corrected: 2023-02-08 21:06:22 UTC (stable/13, 13.2-STABLE)
2023-02-08 21:07:30 UTC (stable/12, 12.4-STABLE)
2023-02-16 18:04:07 UTC (releng/12.4, 12.4-RELEASE-p2)
CVE Name: CVE-2023-25136
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
0. Revision History
v1.0 2023-02-16 -- Initial release
v1.1 2022-03-01 -- Corrected stable/13 Correction details
I. Background
OpenSSH is an implementation of the SSH protocol suite, providing an
encrypted and authenticate
Microsoft
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote at
vendor_msrc·2023-02-14·CVSS 6.5
CVE-2023-25136 [MEDIUM] CWE-415 OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote at
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states "remote code execution is theoretically possible."
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this wor
Red Hat
openssh: the functions order_hostkeyalgs() and list_hostkey_types() leads to double-free vulnerability
vendor_redhat·2023-02-03·CVSS 6.5
CVE-2023-25136 [MEDIUM] CWE-401 openssh: the functions order_hostkeyalgs() and list_hostkey_types() leads to double-free vulnerability
openssh: the functions order_hostkeyalgs() and list_hostkey_types() leads to double-free vulnerability
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states "remote code execution is theoretically possible."
A flaw was found in the OpenSSH server (sshd), which introduced a double-free vulnerability during options.kex_algorithms handling. An unauthenticated attacker can trigger the double-free in the default configuration.
Package: openssh (Red Hat Enterprise Linux 6) - Not affected
Package: openssh (Red Hat Enterprise Linux 7)
Debian
CVE-2023-25136: openssh - OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options....
vendor_debian·2023·CVSS 6.5
CVE-2023-25136 [MEDIUM] CVE-2023-25136: openssh - OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options....
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states "remote code execution is theoretically possible."
Scope: local
bookworm: resolved (fixed in 1:9.2p1-1)
bullseye: resolved
forky: resolved (fixed in 1:9.2p1-1)
sid: resolved (fixed in 1:9.2p1-1)
trixie: resolved (fixed in 1:9.2p1-1)
No detection rules found.
No public exploits indexed.
arXiv
Top of the Heap: Efficient Memory Error Protection of Safe Heap Objects
arxiv_fulltext·2024-08-19
Top of the Heap: Efficient Memory Error Protection of Safe Heap Objects
Top of the Heap: Efficient Memory Error Protection
of Safe Heap Objects
0
@IEEEauthorhalign
@IEEEauthorhalign
Kaiming Huang
Penn State University
[email protected]
Mathias Payer
EPFL
[email protected]
Zhiyun Qian
UC Riverside
[email protected]
Jack Sampson
Penn State University
[email protected]
\ \ \ \ Gang Tan
\ \ \ \ Penn State University
\ \ \ \ [email protected]
Trent Jaeger
Penn State University
[email protected]
Kaiming Huang
Penn State University
[email protected]
Mathias Payer
EPFL
[email protected]
Zhiyun Qian
UC Riverside
[email protected]
Jack Sampson
Penn State University
[email protected]
Gang Tan
Penn State University
[email protected]
Trent Jaeger
UC Riverside
[email protected]
0
CCSXML
10002978.10003022.10003023
Security and privacy Software
Qualys
CVE-2023-25136: Pre-Auth Double Free Vulnerability in OpenSSH Server 9.1 | Qualys
blogs_qualys·2023-02-03·CVSS 6.5
CVE-2023-25136 [MEDIUM] CVE-2023-25136: Pre-Auth Double Free Vulnerability in OpenSSH Server 9.1 | Qualys
#### Table of Contents
- What is OpenSSH?
- Technical Details
- Qualys QID Coverage
- Conclusion
- Vendor References
OpenSSH, the widely used open-source implementation of the Secure Shell (SSH) protocol, recently released version 9.2 on 2023-02-02 to address a pre-authentication vulnerability in the OpenSSH server version 9.1. This specific version of the OpenSSH server, which was released in October 2022, was found to be affected by a double-free vulnerability in the default configuration of the OpenSSH server (sshd).
## What is OpenSSH?
OpenSSH is a freely available implementation of the Secure Shell (SSH) protocol. It delivers secure encrypted communications between two untrusted hosts over an insecure network. OpenSSH is commonly used for secure remote login and remote file transf
Greynoiseio
NoiseLetter
blogs_greynoiseio
NoiseLetter
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://www.openwall.com/lists/oss-security/2023/02/13/1http://www.openwall.com/lists/oss-security/2023/02/22/1http://www.openwall.com/lists/oss-security/2023/02/22/2http://www.openwall.com/lists/oss-security/2023/02/23/3http://www.openwall.com/lists/oss-security/2023/03/06/1http://www.openwall.com/lists/oss-security/2023/03/09/2https://bugzilla.mindrot.org/show_bug.cgi?id=3522https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/017_sshd.patch.sighttps://github.com/openssh/openssh-portable/commit/486c4dc3b83b4b67d663fb0fa62bc24138ec3946https://jfrog.com/blog/openssh-pre-auth-double-free-cve-2023-25136-writeup-and-proof-of-concept/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JGAUIXJ3TEKCRKVWFQ6GDAGQFTIIGQQP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R7LKQDFZWKYHQ65TBSH2X2HJQ4V2THS3/https://news.ycombinator.com/item?id=34711565https://security.gentoo.org/glsa/202307-01https://security.netapp.com/advisory/ntap-20230309-0003/https://www.openwall.com/lists/oss-security/2023/02/02/2http://www.openwall.com/lists/oss-security/2023/02/13/1http://www.openwall.com/lists/oss-security/2023/02/22/1http://www.openwall.com/lists/oss-security/2023/02/22/2http://www.openwall.com/lists/oss-security/2023/02/23/3http://www.openwall.com/lists/oss-security/2023/03/06/1http://www.openwall.com/lists/oss-security/2023/03/09/2https://bugzilla.mindrot.org/show_bug.cgi?id=3522https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/017_sshd.patch.sighttps://github.com/openssh/openssh-portable/commit/486c4dc3b83b4b67d663fb0fa62bc24138ec3946https://jfrog.com/blog/openssh-pre-auth-double-free-cve-2023-25136-writeup-and-proof-of-concept/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JGAUIXJ3TEKCRKVWFQ6GDAGQFTIIGQQP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R7LKQDFZWKYHQ65TBSH2X2HJQ4V2THS3/https://news.ycombinator.com/item?id=34711565https://security.gentoo.org/glsa/202307-01https://security.netapp.com/advisory/ntap-20230309-0003/https://www.openwall.com/lists/oss-security/2023/02/02/2
2023-02-03
Published
Exploited in the wild