CVE-2023-25136
MEDIUM severity · CVSS 6.5 · Double free
6.5CVSS MEDIUM
Summary
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states "remote code execution is theoretically possible."
Impact & exploitability
Attack vectorNetwork
Attack complexityHigh
Privileges requiredNone
User interactionNone
Confidentiality impactNone
Integrity impactLow
Availability impactHigh
Exploit probability (EPSS)90%
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
Affected products we track (1)
Recommendation
Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.
Official patch: https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/017_sshd.patch.sig ↗
Additional information
- NVD record
- https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/017_sshd.patch.sigPatch
- http://www.openwall.com/lists/oss-security/2023/02/13/1Advisory
- http://www.openwall.com/lists/oss-security/2023/02/22/1Advisory
- http://www.openwall.com/lists/oss-security/2023/02/22/2Advisory
- http://www.openwall.com/lists/oss-security/2023/02/23/3Advisory
- http://www.openwall.com/lists/oss-security/2023/03/06/1Advisory
- http://www.openwall.com/lists/oss-security/2023/03/09/2Advisory
- https://bugzilla.mindrot.org/show_bug.cgi?id=3522Advisory