Vulnerability Details : CVE-2023-25136
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states "remote code execution is theoretically possible."
Vulnerability category: Memory CorruptionExecute code
Products affected by CVE-2023-25136
- cpe:2.3:a:openbsd:openssh:9.1:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:a250_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:500f_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:c250_firmware:-:*:*:*:*:*:*:*
Threat overview for CVE-2023-25136
Top countries where our scanners detected CVE-2023-25136
Top open port discovered on systems with this issue
22
IPs affected by CVE-2023-25136 109,990
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2023-25136!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2023-25136
1.17%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 85 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-25136
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H |
2.2
|
4.2
|
NIST |
CWE ids for CVE-2023-25136
-
The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.Assigned by: nvd@nist.gov (Primary)
References for CVE-2023-25136
-
http://www.openwall.com/lists/oss-security/2023/02/22/1
oss-security - Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136)Mailing List;Third Party Advisory
-
https://github.com/openssh/openssh-portable/commit/486c4dc3b83b4b67d663fb0fa62bc24138ec3946
upstream: Always return allocated strings from the kex filtering so · openssh/openssh-portable@486c4dc · GitHubPatch;Third Party Advisory
-
https://www.openwall.com/lists/oss-security/2023/02/02/2
oss-security - double-free vulnerability in OpenSSH server 9.1Exploit;Mailing List;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2023/02/23/3
oss-security - Re: Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136)Mailing List;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2023/03/09/2
oss-security - Re: Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136)Mailing List;Third Party Advisory
-
https://bugzilla.mindrot.org/show_bug.cgi?id=3522
3522 – Crash with "free(): double free detected" with old clientsExploit;Issue Tracking;Third Party Advisory
-
https://jfrog.com/blog/openssh-pre-auth-double-free-cve-2023-25136-writeup-and-proof-of-concept/
CVE-2023-25136 OpenSSH Pre-Auth Double Free Writeup & PoCExploit;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2023/02/13/1
oss-security - Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136)Mailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JGAUIXJ3TEKCRKVWFQ6GDAGQFTIIGQQP/
[SECURITY] Fedora 38 Update: openssh-9.0p1-15.fc38 - package-announce - Fedora Mailing-ListsMailing List
-
https://security.netapp.com/advisory/ntap-20230309-0003/
CVE-2023-25136 OpenSSH Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
http://www.openwall.com/lists/oss-security/2023/03/06/1
oss-security - Re: Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136)Mailing List;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2023/02/22/2
oss-security - Re: Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136)Mailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R7LKQDFZWKYHQ65TBSH2X2HJQ4V2THS3/
[SECURITY] Fedora 37 Update: openssh-8.8p1-10.fc37 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R7LKQDFZWKYHQ65TBSH2X2HJQ4V2THS3/
Mailing List
-
https://security.gentoo.org/glsa/202307-01
OpenSSH: Remote Code Execution (GLSA 202307-01) — Gentoo securityThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JGAUIXJ3TEKCRKVWFQ6GDAGQFTIIGQQP/
[SECURITY] Fedora 38 Update: openssh-9.0p1-15.fc38 - package-announce - Fedora Mailing-Lists
-
https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/017_sshd.patch.sig
Patch;Vendor Advisory
-
https://news.ycombinator.com/item?id=34711565
OpenSSH Pre-Auth Double Free – Writeup and Proof-of-Concept | Hacker NewsIssue Tracking;Third Party Advisory
Jump to