How to Fix CVE-2023-25136- A Pre-Authentication Double Free Vulnerability in OpenSSH?

On 2nd February, OpenSSH released the release notes of OpenSSH 9.2, which addressed a pre-authentication double-free vulnerability in OpenSSH 9.1 and earlier releases. The flaw is tracked as CVE-2023-25136 and is dobbed as double free vulnerability as it allows to free up the memory twice. As a result, an attacker would be able to trigger arbitrary code execution on the vulnerable machine. Since the flaw allows attackers to perform memory corruption, buffer overflow, and arbitrary code execution, it is important to learn how to Fix CVE-2023-25136- a pre-authentication double free vulnerability in OpenSSH.

Before we jump in to learn how to Fix CVE-2023-25136- a pre-authentication double free vulnerability in OpenSSH, let’s see a short intro about the OpenSSH free() function and the version affected by this flaw.

A Short Note About OpenSSH

OpenSSH is a free and open-source implementation of the SSH (Secure Shell) protocol. It provides secure encrypted communications between two untrusted hosts over an insecure network and is widely used for remote login, remote file transfer, and VPN solutions. OpenSSH supports various authentication methods, including password-based authentication, public key authentication, and Kerberos authentication. The software is a standard component of most Unix-based operating systems and is commonly used as a secure alternative to Telnet and FTP.

What is a free() Function?

This is a memory deallocation function in programming languages. It is basically used to free up the dynamic memory previously allocated by malloc(), calloc(), or realloc() functions. It is worth noting that the free() function does not delete the memory. Instead, it sets it to a state where it can be reallocated. Make sure that any pointers that point to the memory should be removed before calling the free() function. If it is not properly handled, this function could cause memory leaks and other memory-related issues in the program.

What is a dangling pointer?

In simple words, a dangling pointer is a pointer that points to a memory location that has been deleted or freed. It does not point to a valid object since it is deleted. It occurs as an error when it points to the memory address of the deleted object. This can lead to unpredictable behavior in the program, such as software bugs, memory leaks, and crashes as the pointer is still trying to access data that is no longer valid. It is important for developers to understand the risks of dangling pointers and take measures to prevent them from occurring.

Summary of CVE-2023-25136

This is a pre-authentication double-free vulnerability in OpenSSH, a free and open-source library of the SSH (Secure Shell) protocol. The vulnerability allows attackers to free up the chunk of memory twice. The flaw stems from the improper handling of “options.kex_algorithms”.

options.kex_algorithms is being freed twice. The first time it frees when the function “do_ssh2_kex” is called, which further calls “compat_kex_proposal” function. If a certain compatibility setting called “SSH_BUG_CURVE25519PAD” is not set and another one called “SSH_OLD_DHGEX” is set, then “options.kex_algorithms” becomes a “dangling pointer” after being freed. This means that it points to memory that has been released and can’t be used anymore.

The improper implementation of “options.kex_algorithms” further leads to freeing up the same chunk of memory that was freed previously when the function “kex_assemble_names”, with “listp” set to “&options.kex_algorithms”.

The CVSS score is not calculated at the time of publishing the post, as it is not an easy task to exploit this vulnerability. Qualis security team has demonstrated this vulnerability with technical details. We recommend referring to the blog for more information.

OpenSSH Versions Vulnerable to CVE-2023-25136

The flaw affects all the versions, which are equal to and lower than v9.1. Please check the version of OpenSSH that your machine is running. Run this command to check the OpenSSH version.

ssh -V

In this case, we have OpenSSH v8.9 on our server, which is vulnerable.

How to Fix CVE-2023-25136- A Pre-Authentication Double Free Vulnerability in OpenSSH?

OpenSSH has responded to this vulnerability by rolling out a patched version of OpenSSH. This pre-authentication double-free vulnerability is fixed in OpenSSH v 9.2. We suggest finding out the current version of OpenSSH on your machines and upgrading to vOpenSSH 9.2/9.2p1.

Time needed: 10 minutes.

How to Fix CVE-2023-25136?
The installation process is quite simple if your distribution has a compelled version of OpenSSH-server. If not, you may need to download the package and compel the package using make and install it using the make install commands.

How to Fix “configure: error: no acceptable C compiler found in $PATH” Error?

If you get configure: error: no acceptable C compiler found in $PATH error when you try compile the before building any source code, then no gcc compiler is installed on your computer or gcc compiler is not set to $PATH veritable. One simple solution to this problem is to install build-essential or development tools on your server.

To install gcc use this: (run as root)

    Redhat base:

yum groupinstall "Development Tools"

    Debian base:

apt-get install build-essential

    openSUSE base:

zypper install --type pattern devel_basis

    Alpine:

apk add build-base

We hope this post helps you know how to Fix CVE-2023-25136- a pre-authentication double free vulnerability in OpenSSH. Please share this post and help secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this. 

You may also like these articles: