cbcvebase.
CVE-2023-25136
published 2023-02-03

CVE-2023-25136: OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be…

PriorityP262medium6.5CVSS 3.1
AVNACHPRNUINSUCNILAH
ITW
Exploited in the wild
EPSS
89.95%
99.8th percentile
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states "remote code execution is theoretically possible."

Affected

9 ranges
VendorProductVersion rangeFixed in
debianopenssh< openssh 1:9.2p1-1 (bookworm)openssh 1:9.2p1-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
msrccbl2_openssh_8.9p1-8_on_cbl_mariner_2.0
msrccm1_openssh_8.9p1-3_on_cbl_mariner_1.0
openbsdopenssh
openbsdopenssh>= 0 < 1:9.2p1-11:9.2p1-1
openbsdopenssh>= 0 < 1:9.2p1-11:9.2p1-1
openbsdopenssh>= 0 < 1:9.2p1-11:9.2p1-1

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://security.FreeBSD.org/patches/SA-23:02/openssh.patch
  • Monitor sshd stderr/logs for 'free(): double free detected in tcache 2' error message, which indicates exploitation attempt of CVE-2023-25136
  • Monitor for ssh_sandbox_violation events triggered by unexpected system calls (seccomp SIGSYS) in the unprivileged sshd process, which may indicate double-free exploitation
  • Vulnerability is only present in OpenSSH sshd version 9.1 (specifically 9.1p1); flag any systems running this exact version as affected
  • The double-free occurs pre-authentication via the kex_algorithms negotiation path; anomalous or malformed KEX_INIT packets from unauthenticated clients should be flagged
  • Qualys detection: QID 38888 (IP scanning signature VULNSIGS-2.5.692-3) can be used to identify vulnerable OpenSSH 9.1 instances
  • ·Modern memory allocators and sshd privilege separation/sandboxing significantly raise the bar for reliable exploitation beyond denial-of-service
  • ·FreeBSD 12.3 and 13.1 ship older OpenSSH versions and are NOT affected; only FreeBSD 12.4 (which ships OpenSSH 9.1) is affected
  • ·Red Hat Enterprise Linux 6, 7, and 8 are all listed as Not Affected, as they ship older OpenSSH versions

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_msrc6.5MEDIUM
vendor_oracle6.5MEDIUM
vendor_redhat6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.