CVE-2023-25136

Published: 3 February 2023

OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states "remote code execution is theoretically possible."

Notes

openssh-ssh1 is provided for compatibility with old devices that
cannot be upgraded to modern protocols. Thus we may not provide security
support for this package if doing so would prevent access to equipment.

issue introduced in OpenSSH 9.1, hence, not affecting any
current Ubuntu releases. The commit that introduced the issue is
486c4dc3b83b4b67d663fb0fa62bc24138ec3946.

Status

Severity score breakdown

References

• https://www.openwall.com/lists/oss-security/2023/02/02/2
• https://www.openwall.com/lists/oss-security/2023/02/13/1
• https://jfrog.com/blog/openssh-pre-auth-double-free-cve-2023-25136-writeup-and-proof-of-concept/
• https://www.cve.org/CVERecord?id=CVE-2023-25136
• NVD
• Launchpad
• Debian

Bugs

• https://bugzilla.mindrot.org/show_bug.cgi?id=3522