CVE-2023-25136: Double Free
First published: Fri Feb 03 2023(Updated: )
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states "remote code execution is theoretically possible."
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Openssh Openssh | =9.1 | |
| Fedoraproject Fedora | =37 | |
| Fedoraproject Fedora | =38 | |
| NetApp ONTAP Select Deploy administration utility | ||
| Netapp A250 Firmware | ||
| Netapp A250 | ||
| Netapp 500f Firmware | ||
| Netapp 500f | ||
| Netapp C250 Firmware | ||
| Netapp C250 | ||
| Openbsd Openssh | =9.1 | |
| All of | ||
| Netapp A250 Firmware | ||
| Netapp A250 | ||
| All of | ||
| Netapp 500f Firmware | ||
| Netapp 500f | ||
| All of | ||
| Netapp C250 Firmware | ||
| Netapp C250 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2023/02/13/1
- http://www.openwall.com/lists/oss-security/2023/02/22/1
- http://www.openwall.com/lists/oss-security/2023/02/22/2
- http://www.openwall.com/lists/oss-security/2023/02/23/3
- http://www.openwall.com/lists/oss-security/2023/03/06/1
- http://www.openwall.com/lists/oss-security/2023/03/09/2
- https://bugzilla.mindrot.org/show_bug.cgi?id=3522
- https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/017_sshd.patch.sig
- https://github.com/openssh/openssh-portable/commit/486c4dc3b83b4b67d663fb0fa62bc24138ec3946
- https://jfrog.com/blog/openssh-pre-auth-double-free-cve-2023-25136-writeup-and-proof-of-concept/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JGAUIXJ3TEKCRKVWFQ6GDAGQFTIIGQQP/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R7LKQDFZWKYHQ65TBSH2X2HJQ4V2THS3/
- https://news.ycombinator.com/item?id=34711565
- https://security.gentoo.org/glsa/202307-01
- https://security.netapp.com/advisory/ntap-20230309-0003/
- https://www.openwall.com/lists/oss-security/2023/02/02/2
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JGAUIXJ3TEKCRKVWFQ6GDAGQFTIIGQQP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R7LKQDFZWKYHQ65TBSH2X2HJQ4V2THS3/
Frequently Asked Questions
What is the vulnerability ID for this OpenSSH server vulnerability?
The vulnerability ID for this OpenSSH server vulnerability is CVE-2023-25136.
What is the severity level of CVE-2023-25136?
The severity level of CVE-2023-25136 is medium with a CVSS score of 6.5.
Which version of OpenSSH server introduced this vulnerability?
OpenSSH server version 9.1 introduced this vulnerability.
Has this vulnerability been fixed in a later version of OpenSSH server?
Yes, this vulnerability has been fixed in OpenSSH server version 9.2.
Can an unauthenticated remote attacker exploit this vulnerability?
Yes, an unauthenticated remote attacker can exploit this vulnerability.
- collector/nvd-index
- agent/severity
- agent/weakness
- agent/references
- agent/author
- agent/description
- agent/type
- agent/event
- agent/last-modified-date
- agent/softwarecombine
- agent/remedy
- agent/first-publish-date
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- vendor/openssh
- canonical/openssh openssh
- version/openssh openssh/9.1
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/37
- version/fedoraproject fedora/38
- vendor/netapp
- canonical/netapp ontap select deploy administration utility
- canonical/netapp a250 firmware
- canonical/netapp a250
- canonical/netapp 500f firmware
- canonical/netapp 500f
- canonical/netapp c250 firmware
- canonical/netapp c250
- vendor/openbsd
- canonical/openbsd openssh
- version/openbsd openssh/9.1