On 2nd February, OpenSSH released the release notes of OpenSSH 9.2, which addressed a pre-authentication double-free vulnerability in OpenSSH 9.1 and earlier releases. The flaw is tracked as CVE-2023-25136 and is dobbed as double free vulnerability as it allows to free up the memory twice. As a result, an attacker would be able to trigger arbitrary code execution on the vulnerable machine. Since the flaw allows attackers to perform memory corruption, buffer overflow, and arbitrary code execution, it is important to learn how to Fix CVE-2023-25136- a pre-authentication double free vulnerability in OpenSSH.
Before we jump in to learn how to Fix CVE-2023-25136- a pre-authentication double free vulnerability in OpenSSH, let’s see a short intro about the OpenSSH free() function and the version affected by this flaw.
A Short Note About OpenSSH
OpenSSH is a free and open-source implementation of the SSH (Secure Shell) protocol. It provides secure encrypted communications between two untrusted hosts over an insecure network and is widely used for remote login, remote file transfer, and VPN solutions. OpenSSH supports various authentication methods, including password-based authentication, public key authentication, and Kerberos authentication. The software is a standard component of most Unix-based operating systems and is commonly used as a secure alternative to Telnet and FTP.
What is free() Function?
This is a memory deallocation function in programming languages. It is basically used to free up the dynamic memory previously allocated by malloc(), calloc(), or realloc() functions. It is worth noting that the free() function does not delete the memory. Instead, it sets it to a state where it can be reallocated. Make sure that any pointers that point to the memory should be removed before calling the free() function. If it is not properly handled, this function could cause memory leaks and other memory-related issues in the program.
What is a dangling pointer?
In simple words, a dangling pointer is a pointer that points to a memory location that has been deleted or freed. It does not point to a valid object since it is deleted. It occurs as an error when it points to the memory address of the deleted object. This can lead to unpredictable behavior in the program, such as software bugs, memory leaks, and crashes as the pointer is still trying to access data that is no longer valid. It is important for developers to understand the risks of dangling pointers and take measures to prevent them from occurring.
Summary of CVE-2023-25136
This is a pre-authentication double free vulnerability in OpenSSH, a free and open-source library of the SSH (Secure Shell) protocol. The vulnerability allows attackers to free up the chunk of memory twice. The flaw is stemmed in the improper handling of “options.kex_algorithms”.
options.kex_algorithms is being freed twice. The first time it frees when the function “do_ssh2_kex” is called, which further calls “compat_kex_proposal” function. If a certain compatibility setting called “SSH_BUG_CURVE25519PAD” is not set and another one called “SSH_OLD_DHGEX” is set, then “options.kex_algorithms” becomes a “dangling pointer” after being freed. This means that it points to memory that has been released and can’t be used anymore.
The improper implementation of “options.kex_algorithms” further leads to freeing up the same chunk of memory which was freed previously when the function “kex_assemble_names”, with “listp” set to “&options.kex_algorithms”.
The CVSS score is not calculated at the time of publishing the post, as it is not an easy task to exploit this vulnerability. Qualis security team has demonstrated this vulnerability with technical details. We recommend referring to the blog for more information.
OpenSSH Versions Vulnerable to CVE-2023-25136
The flaw affects all the versions, which are equal to and lower than v9.1. Please check the version of OpenSSH that your machine is running. Run this command to check the OpenSSH version.
In this case, we have OpenSSH v8.9 on our server, which is vulnerable.
How to Fix CVE-2023-25136- A Pre-Authentication Double Free Vulnerability in OpenSSH?
OpenSSH has responded to this vulnerability by rolling out a patched version of OpenSSH. This pre-authentication double free vulnerability is fixed in OpenSSH v 9.2. We suggest finding out the current version of OpenSSH on your machines and upgrading to vOpenSSH 9.2/9.2p1.
Time needed: 10 minutes.
How to Fix CVE-2023-25136?
The installation process is quite simple if your distribution has a compelled version of openssh-server. If no, you may need to download the package and compel the package using make and install it using the make install commands.
- Check the OpenSSH versionRun this command to check the version of OpenSSH:
$ ssh -V
- Download the latest OpenSSH packageDownload the latest package. In this case, since we have OpenSSH v8.9 which is vulnerable to this flaw, we need to download v9.2.
$ wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.2p1.tar.gz
$ chmod +x openssh-9.2p1.tar.gz
- Extract the OpenSSH packageExtract the downloaded package to a folder.
$ tar -xf openssh-9.2p1.tar.gz
$ cd openssh-9.2p1/
- Manually compile OpenSSHRun this command to compile and create configdata.pm and makefile.
$ ./configure –prefix=/opt –sysconfdir=/etc/ssh
- Install/upgrade OpenSSHInstall or upgrade the OpenSSH build using make and make install commands
$ make install
Note: You may need to install make and gcc utilities before you install or upgrade the OpenSSL. Run this command to install the required packages if not preinstalled.
$ sudo apt install make gcc
How to Fix “configure: error: no acceptable C compiler found in $PATH” Error?
If you get configure: error: no acceptable C compiler found in $PATH error when you try compile the before build any source code, then no gcc compiler is installed on your computer or gcc compiler is not set to $PATH veritable. One simple solution to this problem is to install build-essential or development tools on your server.
To install gcc use this: (run as root)
yum groupinstall "Development Tools"
apt-get install build-essential
zypper install --type pattern devel_basis
apk add build-base