CVE-2023-25136
openssh: the functions order_hostkeyalgs() and list_hostkey_types() leads to double-free vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
11Exploited in Wild
-Decision
Descriptions
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states "remote code execution is theoretically possible."
OpenSSH server (sshd) v9.1 introdujo una vulnerabilidad de doble liberación durante el manejo de "options.key_algorithms". Esto se ha corregido en OpenSSH v9.2. La doble liberación puede ser aprovechada por un atacante remoto no autenticado en la configuración por defecto, para saltar a cualquier ubicación en el espacio de direcciones de sshd. Un informe de terceros afirma que "la ejecución remota de código es teóricamente posible".
A flaw was found in the OpenSSH server (sshd), which introduced a double-free vulnerability during options.kex_algorithms handling. An unauthenticated attacker can trigger the double-free in the default configuration.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-02-03 CVE Reserved
- 2023-02-03 CVE Published
- 2023-02-09 First Exploit
- 2024-08-02 CVE Updated
- 2024-09-24 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-401: Missing Release of Memory after Effective Lifetime
- CWE-415: Double Free
CAPEC
References (26)
URL | Tag | Source |
---|---|---|
http://www.openwall.com/lists/oss-security/2023/02/13/1 | Mailing List | |
http://www.openwall.com/lists/oss-security/2023/02/22/1 | Mailing List | |
http://www.openwall.com/lists/oss-security/2023/02/22/2 | Mailing List | |
http://www.openwall.com/lists/oss-security/2023/02/23/3 | Mailing List | |
http://www.openwall.com/lists/oss-security/2023/03/06/1 | Mailing List | |
http://www.openwall.com/lists/oss-security/2023/03/09/2 | Mailing List | |
https://news.ycombinator.com/item?id=34711565 | Issue Tracking | |
https://security.netapp.com/advisory/ntap-20230309-0003 | Third Party Advisory |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Netapp Search vendor "Netapp" | A250 Firmware Search vendor "Netapp" for product "A250 Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | A250 Search vendor "Netapp" for product "A250" | - | - |
Safe
|
Netapp Search vendor "Netapp" | 500f Firmware Search vendor "Netapp" for product "500f Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | 500f Search vendor "Netapp" for product "500f" | - | - |
Safe
|
Netapp Search vendor "Netapp" | C250 Firmware Search vendor "Netapp" for product "C250 Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | C250 Search vendor "Netapp" for product "C250" | - | - |
Safe
|
Openbsd Search vendor "Openbsd" | Openssh Search vendor "Openbsd" for product "Openssh" | 9.1 Search vendor "Openbsd" for product "Openssh" and version "9.1" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 37 Search vendor "Fedoraproject" for product "Fedora" and version "37" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 38 Search vendor "Fedoraproject" for product "Fedora" and version "38" | - |
Affected
| ||||||
Netapp Search vendor "Netapp" | Ontap Select Deploy Administration Utility Search vendor "Netapp" for product "Ontap Select Deploy Administration Utility" | - | - |
Affected
|