OpenSSH Releases Patch for New Pre-Auth Double Free Vulnerability

Feb 06, 2023Ravie LakshmananAuthentication / Vulnerability

The maintainers of OpenSSH have released OpenSSH 9.2 to address
a number of security bugs, including a memory safety vulnerability
in the OpenSSH server (sshd).

Tracked as CVE-2023-25136^[1], the shortcoming has
been classified as a pre-authentication double free vulnerability
that was introduced in version 9.1.

“This is not believed to be exploitable, and it occurs in the
unprivileged pre-auth process that is subject to chroot(2) and is
further sandboxed on most major platforms,” OpenSSH disclosed in
its release notes^[2]
on February 2, 2023.

Credited with reporting^[3]
the flaw to OpenSSH in July 2022 is security researcher Mantas
Mikulenas.

OpenSSH is the open source implementation of the secure shell
(SSH^[4]) protocol that offers a
suite of services for encrypted communications over an unsecured
network in a client-server architecture.

“The exposure occurs in the chunk of memory freed twice, the
‘options.kex_algorithms,'” Qualys researcher Saeed Abbasi said,
adding the issue results in a “double free in the unprivileged sshd
process.”

Double free flaws arise when a vulnerable piece of code calls
the free()^[5]
function – which is used to deallocate memory blocks – twice,
leading to memory corruption, which, in turn, could lead to a crash
or execution of arbitrary code.

“Doubly freeing memory may result in a write-what-where condition^[6], allowing an attacker to
execute arbitrary code,” MITRE notes^[7]
in its description of the flaw.

“While the double-free vulnerability in OpenSSH version 9.1 may
raise concerns, it is essential to note that exploiting this issue
is no simple task,” Abbasi explained.

“This is due to the protective measures put in place by modern
memory allocators and the robust privilege separation and
sandboxing implemented in the impacted sshd process.”

Users are recommended to update to OpenSSH 9.2 to mitigate
potential security threats.