// For flags

CVE-2023-25136

openssh: the functions order_hostkeyalgs() and list_hostkey_types() leads to double-free vulnerability

Severity Score

6.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

11
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states "remote code execution is theoretically possible."

OpenSSH server (sshd) v9.1 introdujo una vulnerabilidad de doble liberación durante el manejo de "options.key_algorithms". Esto se ha corregido en OpenSSH v9.2. La doble liberación puede ser aprovechada por un atacante remoto no autenticado en la configuración por defecto, para saltar a cualquier ubicación en el espacio de direcciones de sshd. Un informe de terceros afirma que "la ejecución remota de código es teóricamente posible".

A flaw was found in the OpenSSH server (sshd), which introduced a double-free vulnerability during options.kex_algorithms handling. An unauthenticated attacker can trigger the double-free in the default configuration.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2023-02-03 CVE Reserved
  • 2023-02-03 CVE Published
  • 2023-02-09 First Exploit
  • 2024-08-02 CVE Updated
  • 2024-09-24 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-401: Missing Release of Memory after Effective Lifetime
  • CWE-415: Double Free
CAPEC
References (26)
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Netapp
Search vendor "Netapp"
A250 Firmware
Search vendor "Netapp" for product "A250 Firmware"
--
Affected
in Netapp
Search vendor "Netapp"
A250
Search vendor "Netapp" for product "A250"
--
Safe
Netapp
Search vendor "Netapp"
500f Firmware
Search vendor "Netapp" for product "500f Firmware"
--
Affected
in Netapp
Search vendor "Netapp"
500f
Search vendor "Netapp" for product "500f"
--
Safe
Netapp
Search vendor "Netapp"
C250 Firmware
Search vendor "Netapp" for product "C250 Firmware"
--
Affected
in Netapp
Search vendor "Netapp"
C250
Search vendor "Netapp" for product "C250"
--
Safe
Openbsd
Search vendor "Openbsd"
Openssh
Search vendor "Openbsd" for product "Openssh"
9.1
Search vendor "Openbsd" for product "Openssh" and version "9.1"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
37
Search vendor "Fedoraproject" for product "Fedora" and version "37"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
38
Search vendor "Fedoraproject" for product "Fedora" and version "38"
-
Affected
Netapp
Search vendor "Netapp"
Ontap Select Deploy Administration Utility
Search vendor "Netapp" for product "Ontap Select Deploy Administration Utility"
--
Affected