CVE-2023-25136: Pre-Auth Double Free Vulnerability in OpenSSH Server 9.1 

Saeed Abbasi

Last updated on: February 13, 2023

OpenSSH, the widely used open-source implementation of the Secure Shell (SSH) protocol, recently released version 9.2 on 2023-02-02 to address a pre-authentication vulnerability in the OpenSSH server version 9.1. This specific version of the OpenSSH server, which was released in October 2022, was found to be affected by a double-free vulnerability in the default configuration of the OpenSSH server (sshd).  

What is OpenSSH? 

OpenSSH is a freely available implementation of the Secure Shell (SSH) protocol. It delivers secure encrypted communications between two untrusted hosts over an insecure network. OpenSSH is commonly used for secure remote login and remote file transfer, as well as other network services such as tunneling and forwarding TCP ports. It provides a safe alternative to traditional clear-text protocols like Telnet and FTP. OpenSSH is widely used in Unix-based systems, including Linux and macOS, and is incorporated in many widespread and modern operating systems and distributions. 

OpenSSH uses modern memory allocators to minimize memory-related vulnerabilities. These, combined with the robust privilege separation and sandboxing mechanisms, make OpenSSH a secure and reliable solution for secure remote access and file transfer.

Technical Details  

The double-free vulnerability was introduced in July 2022 and was reported to OpenSSH Bugzilla in January 2023 by Mantas Mikulenas. The exposure occurs in the chunk of memory freed twice, the “options.kex_algorithms”. The first time it was freed was via do_ssh2_kex(), which calls compat_kex_proposal(). In the case where the compatibility bit “SSH_BUG_CURVE25519PAD” is not set and the compatibility bit “SSH_OLD_DHGEX” is set, “options.kex_algorithms” becomes a dangling pointer after being freed. This results in the memory being freed a second time via kex_assemble_names() with “listp” equal to “&options.kex_algorithms”. 

In order to demonstrate a vulnerability, Qualys Threat Research Unit (TRU) set up a testing environment utilizing Debian (bookworm) with OpenSSH 9.1p1 installed. We then modified the banner of the ssh client to present as a “FuTTY” client, which resulted in forcing the “SSH_OLD_DHGEX” compatibility bit in the ssh daemon (sshd). The steps taken to achieve this are outlined below:    

$ cp -i /usr/bin/ssh ./ssh  $ sed -i s/OpenSSH_9.1p1/FuTTYSH_9.1p1/g ./ssh  $ ./ssh -v 127.0.0.1

This action resulted in a double free in the unprivileged sshd process, as indicated by the error message and the strace output: 

writev(2, [{iov_base="free(): double free detected in tcache 2", iov_len=40}, {iov_base="\n", iov_len=1}], 2) = 20  --- SIGSYS {si_signo=SIGSYS, si_code=SYS_SECCOMP, si_call_addr=0x7f093649e1f5, si_syscall=__NR_writev, si_arch=AUDIT_ARCH_X86_64} ---  write(8, "\0\0\0g\0\0\0\1\0\0\0\0\0\0\0[ssh_sandbox_violation: unexpected system call (arch:0xc000003e,syscall:20 @ 0x7f093649e1f5)", 107) = 107  exit_group(1)                           = ?  +++ exited with 1 +++

While the double-free vulnerability in OpenSSH version 9.1 may raise concerns, it is essential to note that exploiting this issue is no simple task. This is due to the protective measures put in place by modern memory allocators and the robust privilege separation and sandboxing implemented in the impacted sshd process.  

Affected users are highly encouraged to upgrade to OpenSSH 9.2 to prevent potential security risks. The OpenSSH project has been instrumental in ensuring secure remote access to systems, and the recent release of 9.2 is a testament to their commitment to the community’s security. 

Qualys QID Coverage 

Qualys has released one (1) QID 38888 at this time, starting with IP scanning version VULNSIGS-2.5.692-3

QIDTitleQualys Release Versions
38888 OpenSSH server 9.1 ‘sshd(8)’ Double-Free VulnerabilityVULNSIGS-2.5.692-3

Conclusion

We at Qualys strongly encourage our customers and users to upgrade to the latest version of OpenSSH, which is 9.2 to mitigate potential security risks. The OpenSSH project has a proven track record of providing secure remote access to systems, and the recent release of 9.2 reflects its ongoing commitment to the security of its user community. By upgrading to this latest version, users can benefit from the latest security enhancements and advancements offered by the OpenSSH project. 

Vendor References  

 

Share your Comments

Comments

Your email address will not be published. Required fields are marked *