Description
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states "remote code execution is theoretically possible."
Related CPE's
o
fedoraproject
fedora
References
http://www.openwall.com/lists/oss-security/2023/02/13/1
http://www.openwall.com/lists/oss-security/2023/02/22/1
http://www.openwall.com/lists/oss-security/2023/02/22/2
http://www.openwall.com/lists/oss-security/2023/02/23/3
http://www.openwall.com/lists/oss-security/2023/03/06/1
http://www.openwall.com/lists/oss-security/2023/03/09/2
https://bugzilla.mindrot.org/show_bug.cgi?id=3522
https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/017_sshd.patch.sig
https://github.com/openssh/openssh-portable/commit/486c4dc3b83b4b67d663fb0fa62bc24138ec3946
https://jfrog.com/blog/openssh-pre-auth-double-free-cve-2023-25136-writeup-and-proof-of-concept/
https://news.ycombinator.com/item?id=34711565
https://security.gentoo.org/glsa/202307-01
https://security.netapp.com/advisory/ntap-20230309-0003/
https://www.openwall.com/lists/oss-security/2023/02/02/2
CVSS impact metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
6.5 · Medium
CVSS V3.1
CVSS V3.0
CVSS V2.0
Information
Source identifier
Vulnerability status
Modified
Published
2023-02-03T06:15:09.350
2 years agoLast modified
2024-02-27T15:15:14.617
1 year ago