Multiple vulnerabilities in OpenSSH



Published: 2023-02-02 | Updated: 2023-02-23
Risk High
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2023-25136
CWE-ID CWE-415
CWE-254
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software
Subscribe
OpenSSH
Server applications / Remote management servers, RDP, SSH

Vendor OpenSSH

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Double Free

EUVDB-ID: #VU71771

Risk: High

CVSSv3.1:

CVE-ID: CVE-2023-25136

CWE-ID: CWE-415 - Double Free

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to potentially execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the sshd(8) daemon. A remote non-authenticated attacker can send  specially crafted data to the application, trigger a double free error and execute arbitrary code on the target system.

The vendor believes exploitation of this vulnerability has limitations as double free occurs "in the unprivileged pre-auth process that is subject to chroot(2) and is further sandboxed on most major platforms". Nevertheless we assign a high risk to this vulnerability.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

OpenSSH: 9.1p1


CPE2.3 External links

http://www.openssh.com/releasenotes.html#9.2
http://github.com/openssh/openssh-portable/commit/486c4dc3b83b4b67d663fb0fa62bc24138ec3946
http://bugzilla.mindrot.org/show_bug.cgi?id=3522

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

2) Security features bypass

EUVDB-ID: #VU71772

Risk: Low

CVSSv3.1:

CVE-ID: N/A

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to a logic error when parsing the PermitRemoteOpen option. The PermitRemoteOpen option would ignore its first argument unless it was one of the special keywords "any" or "none", causing the permission list to fail open if only one permission was specified.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

OpenSSH: 8.7p1 - 9.1p1


CPE2.3 External links

http://www.openssh.com/releasenotes.html#9.2

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###