CVE-2023-25136

openssh: the functions order_hostkeyalgs() and list_hostkey_types() leads to double-free vulnerability

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states "remote code execution is theoretically possible."

OpenSSH server (sshd) v9.1 introdujo una vulnerabilidad de doble liberación durante el manejo de "options.key_algorithms". Esto se ha corregido en OpenSSH v9.2. La doble liberación puede ser aprovechada por un atacante remoto no autenticado en la configuración por defecto, para saltar a cualquier ubicación en el espacio de direcciones de sshd. Un informe de terceros afirma que "la ejecución remota de código es teóricamente posible".

A flaw was found in the OpenSSH server (sshd), which introduced a double-free vulnerability during options.kex_algorithms handling. An unauthenticated attacker can trigger the double-free in the default configuration.

Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. Issues addressed include bypass, denial of service, and remote SQL injection vulnerabilities.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

High

Attack Vector

Network

Attack Complexity

High

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-02-03 CVE Reserved
2023-02-03 CVE Published
2023-02-09 First Exploit
2024-08-02 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-401: Missing Release of Memory after Effective Lifetime
CWE-415: Double Free

CAPEC

References (28)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2023/02/13/1	Mailing List
http://www.openwall.com/lists/oss-security/2023/02/22/1	Mailing List
http://www.openwall.com/lists/oss-security/2023/02/22/2	Mailing List
http://www.openwall.com/lists/oss-security/2023/02/23/3	Mailing List
http://www.openwall.com/lists/oss-security/2023/03/06/1	Mailing List
http://www.openwall.com/lists/oss-security/2023/03/09/2	Mailing List
https://news.ycombinator.com/item?id=34711565	Issue Tracking
https://security.netapp.com/advisory/ntap-20230309-0003	Third Party Advisory

URL	Date	SRC
https://github.com/Christbowel/CVE-2023-25136	2023-03-07
https://github.com/nhakobyan685/CVE-2023-25136	2023-04-28
https://github.com/adhikara13/CVE-2023-25136	2023-04-21
https://github.com/jfrog/jfrog-CVE-2023-25136-OpenSSH_Double-Free	2023-02-09
https://github.com/H4K6/CVE-2023-25136	2023-06-30
https://github.com/ticofookfook/CVE-2023-25136	2023-02-14
https://github.com/malvika-thakur/CVE-2023-25136	2023-09-21
https://github.com/Business1sg00d/CVE-2023-25136	2023-09-08
https://github.com/axylisdead/CVE-2023-25136_POC	2023-09-10
https://github.com/mrmtwoj/CVE-2023-25136	2025-01-16
https://bugzilla.mindrot.org/show_bug.cgi?id=3522	2024-08-02
https://jfrog.com/blog/openssh-pre-auth-double-free-cve-2023-25136-writeup-and-proof-of-concept	2024-08-02
https://www.openwall.com/lists/oss-security/2023/02/02/2	2024-08-02

URL	Date	SRC
https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/017_sshd.patch.sig	2024-02-27
https://github.com/openssh/openssh-portable/commit/486c4dc3b83b4b67d663fb0fa62bc24138ec3946	2024-02-27

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JGAUIXJ3TEKCRKVWFQ6GDAGQFTIIGQQP	2024-02-27
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R7LKQDFZWKYHQ65TBSH2X2HJQ4V2THS3	2024-02-27
https://security.gentoo.org/glsa/202307-01	2024-02-27
https://access.redhat.com/security/cve/CVE-2023-25136	2023-05-09
https://bugzilla.redhat.com/show_bug.cgi?id=2167636	2023-05-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Netapp Search vendor "Netapp"	A250 Firmware Search vendor "Netapp" for product "A250 Firmware"	-	-	Affected	in	Netapp Search vendor "Netapp"	A250 Search vendor "Netapp" for product "A250"	-	-	Safe
Netapp Search vendor "Netapp"	500f Firmware Search vendor "Netapp" for product "500f Firmware"	-	-	Affected	in	Netapp Search vendor "Netapp"	500f Search vendor "Netapp" for product "500f"	-	-	Safe
Netapp Search vendor "Netapp"	C250 Firmware Search vendor "Netapp" for product "C250 Firmware"	-	-	Affected	in	Netapp Search vendor "Netapp"	C250 Search vendor "Netapp" for product "C250"	-	-	Safe
Openbsd Search vendor "Openbsd"		Openssh Search vendor "Openbsd" for product "Openssh"				9.1 Search vendor "Openbsd" for product "Openssh" and version "9.1"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				37 Search vendor "Fedoraproject" for product "Fedora" and version "37"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				38 Search vendor "Fedoraproject" for product "Fedora" and version "38"		-		Affected
Netapp Search vendor "Netapp"		Ontap Select Deploy Administration Utility Search vendor "Netapp" for product "Ontap Select Deploy Administration Utility"				-		-		Affected