THREAT LEVEL - HIGH

24-02-2023

New Pre-Auth Double Free Vulnerability on OpenSSH

Threat Level Description

Threat Level: High – An attack is highly likely. Additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgments on acceptable risk.

 

Description 

We have observed that a vulnerability in OpenSSH version 9.1, with a severe potential impact, has been identified.

An attacker, by exploiting this vulnerability, could achieve remote code execution on affected systems and possible perform Denial of Service attacks.
OpenSSH is a tool for secure communication and remote access, gaining widespread popularity due to its efficiency and versatility. Developed as a cost-free, open-source implementation of the Secure Shell (SSH) communications protocol, OpenSSH is widely used for various applications.
Tracked as CVE-2023-25136, this flaw has been classified as a pre-authentication double-free vulnerability, occurring during “options.kex_algorithms” handling.
Double free flaws arise when a vulnerable piece of code calls the “free()” function, which is used to deallocate memory blocks twice, leading to memory corruption that consequently could lead to a crash or execution of arbitrary code.

A Proof of Concept (PoC) has been released recently. Thus, malicious actors could utilize this PoC in order to identify and exploit this vulnerability in the wild.

 

CVE(s)

CVE-2023-25136

OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states “remote code execution is theoretically possible.”

 

Affected Systems 

  • OpenSSH 9.1p1 with default configuration

 

Recommendation(s)

You should proceed and update to the latest OpenSSH version (9.2p1.) or/and implement the relevant patches provided by the vendor.

You should understand the importance of security updates, and the urgency with which they should be applied, no matter how large or small your organization is. It is very important to apply an efficient patch management solution and always have enabled an active event security logging and practice event monitoring. To protect the valuable assets of your business and be compliant with the relevant industry regulations requires a comprehensive approach to the management of risk, including Penetration Testing at least annually and upon significant changes.

 

References 

https://jfrog.com/blog/openssh-pre-auth-double-free-cve-2023-25136-writeup-and-proof-of-concept/

 https://www.tenable.com/cve/CVE-2023-25136

 https://nvd.nist.gov/vuln/detail/CVE-2023-25136

SIGN UP

Get the latest Threat Alerts in your inbox.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR). By completing this form, you consent to the collection and processing of your personal data for the purpose of processing your inquiry. Your data will be handled securely and will not be shared with third parties without your explicit consent. You have the right to access, rectify, or delete your personal data at any time by contacting us at [email protected]. For more information on how we handle your data, please refer to our Privacy Notice