Security News > 2023 > February > OpenSSH Releases Patch for New Pre-Auth Double Free Vulnerability
The maintainers of OpenSSH have released OpenSSH 9.2 to address a number of security bugs, including a memory safety vulnerability in the OpenSSH server.
Tracked as CVE-2023-25136, the shortcoming has been classified as a pre-authentication double free vulnerability that was introduced in version 9.1.
Credited with reporting the flaw to OpenSSH in July 2022 is security researcher Mantas Mikulenas.
Double free flaws arise when a vulnerable piece of code calls the free() function - which is used to deallocate memory blocks - twice, leading to memory corruption, which, in turn, could lead to a crash or execution of arbitrary code.
"While the double-free vulnerability in OpenSSH version 9.1 may raise concerns, it is essential to note that exploiting this issue is no simple task," Abbasi explained.
Users are recommended to update to OpenSSH 9.2 to mitigate potential security threats.
News URL
https://thehackernews.com/2023/02/openssh-releases-patch-for-new-pre-auth.html
Related news
- Cisco Releases Patch for Critical URWB Vulnerability in Industrial Wireless Systems (source)
- PAN-OS Firewall Vulnerability Under Active Exploitation – IoCs and Patch Released (source)
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
- Cleo File Transfer Vulnerability Under Exploitation – Patch Pending, Mitigation Urged (source)
- Microsoft Fixes 72 Flaws, Including Patch for Actively Exploited CLFS Vulnerability (source)
- Patch Tuesday: Microsoft Patches One Actively Exploited Vulnerability, Among Others (source)
- BeyondTrust Issues Urgent Patch for Critical Vulnerability in PRA and RS Products (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-02-03 | CVE-2023-25136 | Double Free vulnerability in multiple products OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. | 6.5 |