On 2nd February, OpenSSH released the release notes of OpenSSH 9.2, which addressed a pre-authentication double-free vulnerability in OpenSSH 9.1 and earlier releases. The flaw is tracked as CVE-2023-25136 and is dobbed as double free vulnerability as it allows to free up the memory twice. As a result, an attacker would be able to trigger arbitrary code execution on the vulnerable machine. Since the flaw allows attackers to perform memory corruption, buffer overflow, and arbitrary code execution, it is important to learn how to Fix CVE-2023-25136- a pre-authentication double free vulnerability in OpenSSH.
Before we jump in to learn how to Fix CVE-2023-25136- a pre-authentication double free vulnerability in OpenSSH, let’s see a short intro about the OpenSSH free() function and the version affected by this flaw.
OpenSSH is a free and open-source implementation of the SSH (Secure Shell) protocol. It provides secure encrypted communications between two untrusted hosts over an insecure network and is widely used for remote login, remote file transfer, and VPN solutions. OpenSSH supports various authentication methods, including password-based authentication, public key authentication, and Kerberos authentication. The software is a standard component of most Unix-based operating systems and is commonly used as a secure alternative to Telnet and FTP.
This is a memory deallocation function in programming languages. It is basically used to free up the dynamic memory previously allocated by malloc(), calloc(), or realloc() functions. It is worth noting that the free() function does not delete the memory. Instead, it sets it to a state where it can be reallocated. Make sure that any pointers that point to the memory should be removed before calling the free() function. If it is not properly handled, this function could cause memory leaks and other memory-related issues in the program.
In simple words, a dangling pointer is a pointer that points to a memory location that has been deleted or freed. It does not point to a valid object since it is deleted. It occurs as an error when it points to the memory address of the deleted object. This can lead to unpredictable behavior in the program, such as software bugs, memory leaks, and crashes as the pointer is still trying to access data that is no longer valid. It is important for developers to understand the risks of dangling pointers and take measures to prevent them from occurring.
This is a pre-authentication double-free vulnerability in OpenSSH, a free and open-source library of the SSH (Secure Shell) protocol. The vulnerability allows attackers to free up the chunk of memory twice. The flaw stems from the improper handling of “options.kex_algorithms”.
options.kex_algorithms is being freed twice. The first time it frees when the function “do_ssh2_kex” is called, which further calls “compat_kex_proposal” function. If a certain compatibility setting called “SSH_BUG_CURVE25519PAD” is not set and another one called “SSH_OLD_DHGEX” is set, then “options.kex_algorithms” becomes a “dangling pointer” after being freed. This means that it points to memory that has been released and can’t be used anymore.
The improper implementation of “options.kex_algorithms” further leads to freeing up the same chunk of memory that was freed previously when the function “kex_assemble_names”, with “listp” set to “&options.kex_algorithms”.
The CVSS score is not calculated at the time of publishing the post, as it is not an easy task to exploit this vulnerability. Qualis security team has demonstrated this vulnerability with technical details. We recommend referring to the blog for more information.
The flaw affects all the versions, which are equal to and lower than v9.1. Please check the version of OpenSSH that your machine is running. Run this command to check the OpenSSH version.
ssh -V
In this case, we have OpenSSH v8.9 on our server, which is vulnerable.
OpenSSH has responded to this vulnerability by rolling out a patched version of OpenSSH. This pre-authentication double-free vulnerability is fixed in OpenSSH v 9.2. We suggest finding out the current version of OpenSSH on your machines and upgrading to vOpenSSH 9.2/9.2p1.
Time needed: 10 minutes.
How to Fix CVE-2023-25136?
The installation process is quite simple if your distribution has a compelled version of OpenSSH-server. If not, you may need to download the package and compel the package using make and install it using the make install commands.
Check the OpenSSH version
Run this command to check the version of OpenSSH:
$ ssh -V
Download the latest OpenSSH package
Download the latest package. In this case, since we have OpenSSH v8.9 which is vulnerable to this flaw, we need to download v9.2.
$ wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.2p1.tar.gz
$ chmod +x openssh-9.2p1.tar.gz
Extract the OpenSSH package
Extract the downloaded package to a folder.
$ tar -xf openssh-9.2p1.tar.gz
$ cd openssh-9.2p1/
Manually compile OpenSSH
Run this command to compile and create configdata.pm and makefile.
$ ./configure –prefix=/opt –sysconfdir=/etc/ssh
Install/upgrade OpenSSH
Install or upgrade the OpenSSH build using make and make install commands
$ make
$ make install
Note: You may need to install make and gcc utilities before you install or upgrade the OpenSSL. Run this command to install the required packages if not preinstalled.
$ sudo apt install make gcc
If you get configure: error: no acceptable C compiler found in $PATH error when you try compile the before building any source code, then no gcc compiler is installed on your computer or gcc compiler is not set to $PATH veritable. One simple solution to this problem is to install build-essential or development tools on your server.
To install gcc use this: (run as root)
Redhat base:
yum groupinstall "Development Tools"
Debian base:
apt-get install build-essential
openSUSE base:
zypper install --type pattern devel_basis
Alpine:
apk add build-base
We hope this post helps you know how to Fix CVE-2023-25136- a pre-authentication double free vulnerability in OpenSSH. Please share this post and help secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.
You may also like these articles:
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.