Vulnerability Description
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states "remote code execution is theoretically possible."
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openbsd | Openssh | 9.1 |
| Fedoraproject | Fedora | 37 |
| Netapp | Ontap Select Deploy Administration Utility | - |
| Netapp | A250 Firmware | - |
| Netapp | A250 | - |
| Netapp | 500F Firmware | - |
| Netapp | 500F | - |
| Netapp | C250 Firmware | - |
| Netapp | C250 | - |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2023/02/13/1Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2023/02/22/1Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2023/02/22/2Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2023/02/23/3Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2023/03/06/1Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2023/03/09/2Mailing ListThird Party Advisory
- https://bugzilla.mindrot.org/show_bug.cgi?id=3522ExploitIssue TrackingThird Party Advisory
- https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/017_sshd.patch.sigPatchVendor Advisory
- https://github.com/openssh/openssh-portable/commit/486c4dc3b83b4b67d663fb0fa62bcPatchThird Party Advisory
- https://jfrog.com/blog/openssh-pre-auth-double-free-cve-2023-25136-writeup-and-pExploitThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://news.ycombinator.com/item?id=34711565Issue TrackingThird Party Advisory
- https://security.gentoo.org/glsa/202307-01Third Party Advisory
- https://security.netapp.com/advisory/ntap-20230309-0003/Third Party Advisory
FAQ
What is CVE-2023-25136?
CVE-2023-25136 is a vulnerability with a CVSS score of 6.5 (MEDIUM). OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote at...
How severe is CVE-2023-25136?
CVE-2023-25136 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-25136?
Check the references section above for vendor advisories and patch information. Affected products include: Openbsd Openssh, Fedoraproject Fedora, Netapp Ontap Select Deploy Administration Utility, Netapp A250 Firmware, Netapp A250.