Headline
CVE-2023-25136
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be triggered by an unauthenticated attacker in the default configuration; however, the vulnerability discoverer reports that “exploiting this vulnerability will not be easy.”
untrusted comment: verify with openbsd-72-base.pub RWQTKNnK3CZZ8JQ0BBt1FH1BwcLmKysVlCL+YqQzyPJ2Qdxm4k/khLREjXoXNdeQgkCG9ByzGCaM9IKaS6/9pt5vKh/+eb9swgI= OpenBSD 7.2 errata 017, February 2, 2023: A double-free in the sshd pre-auth unprivileged process (not believed to be exploitable). Apply by doing: signify -Vep /etc/signify/openbsd-72-base.pub -x 017_sshd.patch.sig \ -m - | (cd /usr/src && patch -p0) And then rebuild and install sshd: cd /usr/src/usr.bin/ssh make obj make make install Index: usr.bin/ssh/compat.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/compat.c,v diff -u -p -u -r1.120 compat.c — usr.bin/ssh/compat.c 1 Jul 2022 03:35:45 -0000 1.120 +++ usr.bin/ssh/compat.c 31 Jan 2023 15:43:48 -0000 @@ -188,26 +188,26 @@ compat_pkalg_proposal(struct ssh *ssh, c char * compat_kex_proposal(struct ssh *ssh, char *p) { - char *cp = NULL; + char *cp = NULL, *cp2 = NULL; if ((ssh->compat & (SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX)) == 0) return xstrdup§; debug2_f("original KEX proposal: %s", p); if ((ssh->compat & SSH_BUG_CURVE25519PAD) != 0) - if ((p = match_filter_denylist(p, + if ((cp = match_filter_denylist(p, “[email protected]”)) == NULL) fatal(“match_filter_denylist failed”); if ((ssh->compat & SSH_OLD_DHGEX) != 0) { - cp = p; - if ((p = match_filter_denylist(p, + if ((cp2 = match_filter_denylist(cp ? cp : p, “diffie-hellman-group-exchange-sha256,” “diffie-hellman-group-exchange-sha1”)) == NULL) fatal(“match_filter_denylist failed”); free(cp); + cp = cp2; } - debug2_f("compat KEX proposal: %s", p); - if (*p == ‘\0’) + debug2_f("compat KEX proposal: %s", cp); + if (*cp == ‘\0’) fatal(“No supported key exchange algorithms found”); - return p; + return cp; }
Related news
Details have emerged about a now-patched flaw in OpenSSH that could be potentially exploited to run arbitrary commands remotely on compromised hosts under specific conditions. "This vulnerability allows a remote attacker to potentially execute arbitrary commands on vulnerable OpenSSH's forwarded ssh-agent," Saeed Abbasi, manager of vulnerability research at Qualys, said in an analysis last week.
Red Hat Security Advisory 2023-3742-02 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. Issues addressed include bypass, denial of service, and remote SQL injection vulnerabilities.
Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4.13.0 on Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-16250: A flaw was found in Vault and Vault Enterprise (“Vault”). In the affected versions of Vault, with the AWS Auth Method configured and under certain circumstances, the values relied upon by Vault to validate AWS IAM ident...
An update for openssh is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-25136: A flaw was found in the OpenSSH server (sshd), which introduced a double-free vulnerability during options.kex_algorithms handling. An unauthenticated attacker can trigger the double-free in the default configuration.
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through...
Categories: Exploits and vulnerabilities Categories: News Tags: patch Tuesday Tags: Microsoft Tags: Apple Tags: Adobe Tags: SAP Tags: Citrix Tags: Cisco Tags: Atlassian Tags: Google Tags: Mozilla Tags: Forta Tags: OpenSSH Tags: CVE-2023-21823 Tags: CVE-2023-21715 Tags: OneNote Tags: CVE-2023-23376 Tags: CVE-2023-21706 Tags: CVE-2023-21707 Tags: CVE-2023-21529 Tags: CVE-2023-21716 Tags: CVE-2023-23378 Tags: CVE-2023-22501 Tags: CVE-2023-24486 Tags: CVE-2023-24484 Tags: CVE-2023-24484 Tags: CVE-2023-24483 Tags: CVE-2023-25136 Tags: GoAnywhere Microsoft has released updates to patch three zero-days and lots of other vulnerabilities and so have several other vendors (Read more...) The post Update now! February's Patch Tuesday tackles three zero-days appeared first on Malwarebytes Labs.
The maintainers of OpenSSH have released OpenSSH 9.2 to address a number of security bugs, including a memory safety vulnerability in the OpenSSH server (sshd). Tracked as CVE-2023-25136, the shortcoming has been classified as a pre-authentication double free vulnerability that was introduced in version 9.1. "This is not believed to be exploitable, and it occurs in the unprivileged pre-auth