New Pre-Auth Double Free Vulnerability on OpenSSH
Threat Level Description
Threat Level: High - An attack is highly likely. Additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgments on acceptable risk.
We have observed that a vulnerability in OpenSSH version 9.1, with a severe potential impact, has been identified.
An attacker, by exploiting this vulnerability, could achieve remote code execution on affected systems and possible perform Denial of Service attacks.
OpenSSH is a tool for secure communication and remote access, gaining widespread popularity due to its efficiency and versatility. Developed as a cost-free, open-source implementation of the Secure Shell (SSH) communications protocol, OpenSSH is widely used for various applications.
Tracked as CVE-2023-25136, this flaw has been classified as a pre-authentication double-free vulnerability, occurring during “options.kex_algorithms” handling.
Double free flaws arise when a vulnerable piece of code calls the “free()” function, which is used to deallocate memory blocks twice, leading to memory corruption that consequently could lead to a crash or execution of arbitrary code.
A Proof of Concept (PoC) has been released recently. Thus, malicious actors could utilize this PoC in order to identify and exploit this vulnerability in the wild.
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states "remote code execution is theoretically possible."
OpenSSH 9.1p1 with default configuration
You should proceed and update to the latest OpenSSH version (9.2p1.) or/and implement the relevant patches provided by the vendor.
You should understand the importance of security updates, and the urgency with which they should be applied, no matter how large or small your organization is. It is very important to apply an efficient patch management solution and always have enabled an active event security logging and practice event monitoring. To protect the valuable assets of your business and be compliant with the relevant industry regulations requires a comprehensive approach to the management of risk, including Penetration Testing at least annually and upon significant changes.