The OpenSSH maintainers have announced the release of OpenSSH 9.2, which aims to rectify several security vulnerabilities, notably a memory safety issue identified in the OpenSSH server (sshd). This vulnerability, cataloged as CVE-2023-25136, is classified as a pre-authentication double free vulnerability that was introduced with version 9.1.
The maintainers clarified that while this vulnerability exists, it is not considered easily exploitable. The issue arises within the unprivileged pre-authentication process, which is under the protections of the chroot(2) function and is additionally sandboxed in most major operating systems. This information was conveyed in the release notes published on February 2, 2023.
Security researcher Mantas Mikulenas, who first reported the flaw to OpenSSH in July 2022, highlighted that the vulnerability results from a double-free condition in the ‘options.kex_algorithms’ segment of memory. Saeed Abbasi, manager of vulnerability research at Qualys, explained that this issue could potentially lead to a crash or unauthorized code execution—commonly associated with double free vulnerabilities.
The double free vulnerability occurs when a code block inadvertently frees a memory segment multiple times. This can result in memory corruption, sometimes culminating in exploitable conditions such as a write-what-where condition. MITRE points out that such flaws can allow attackers to execute arbitrary code under specific conditions.
Despite the potential implications of the discovered vulnerability in OpenSSH version 9.1, Abbasi emphasized the complexity of exploitation. This difficulty is largely attributed to the advanced memory management practices instituted in modern allocators along with effective privilege isolation and sandboxing present in the sshd process.
In light of these developments, it is highly advisable for users to upgrade to OpenSSH 9.2 in order to mitigate any potential security risks associated with this vulnerability.