• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
openssh releases patch for new pre auth double free vulnerability

OpenSSH Releases Patch for New Pre-Auth Double Free Vulnerability

You are here: Home / General Cyber Security News / OpenSSH Releases Patch for New Pre-Auth Double Free Vulnerability
February 6, 2023

The maintainers of OpenSSH have produced OpenSSH 9.2 to deal with a number of security bugs, which includes a memory protection vulnerability in the OpenSSH server (sshd).

Tracked as CVE-2023-25136, the shortcoming has been categorised as a pre-authentication double cost-free vulnerability that was introduced in version 9.1.

“This is not thought to be exploitable, and it happens in the unprivileged pre-auth system that is topic to chroot(2) and is additional sandboxed on most important platforms,” OpenSSH disclosed in its release notes on February 2, 2023.

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


Credited with reporting the flaw to OpenSSH in July 2022 is security researcher Mantas Mikulenas.

OpenSSH is the open up source implementation of the protected shell (SSH) protocol that gives a suite of expert services for encrypted communications around an unsecured network in a shopper-server architecture.

“The exposure happens in the chunk of memory freed two times, the ‘options.kex_algorithms,'” Qualys researcher Saeed Abbasi reported, including the issue results in a “double free of charge in the unprivileged sshd system.”

Double no cost flaws occur when a vulnerable piece of code calls the cost-free() perform – which is applied to deallocate memory blocks – twice, main to memory corruption, which, in flip, could direct to a crash or execution of arbitrary code.

“Doubly liberating memory may perhaps outcome in a create-what-in which condition, enabling an attacker to execute arbitrary code,” MITRE notes in its description of the flaw.

“Though the double-free of charge vulnerability in OpenSSH version 9.1 may perhaps elevate problems, it is critical to observe that exploiting this issue is no basic process,” Abbasi defined.

“This is because of to the protective actions put in spot by contemporary memory allocators and the sturdy privilege separation and sandboxing implemented in the impacted sshd method.”

Users are advisable to update to OpenSSH 9.2 to mitigate probable security threats.

Discovered this report appealing? Observe us on Twitter  and LinkedIn to examine extra unique articles we put up.


Some sections of this short article are sourced from:
thehackernews.com

Previous Post: «Cyber Security News Scam Alert for Dingo Token That Charges 99% Fee
Next Post: SaaS in the Real World: Who’s Responsible to Secure this Data? saas in the real world: who's responsible to secure this»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Malicious Python Package Uses Unicode Trickery to Evade Detection and Steal Data
  • Some GitHub users must take action after RSA SSH host key exposed
  • THN Webinar: Inside the High Risk of 3rd-Party SaaS Apps
  • Pension Protection Fund confirms employee data exposed in GoAnywhere breach
  • GitHub Swiftly Replaces Exposed RSA SSH Key to Protect Git Operations
  • Now UK Parliament Bans TikTok from its Network and Devices
  • IRS Phishing Emails Used to Distribute Emotet
  • Researchers Uncover Chinese Nation State Hackers’ Deceptive Attack Strategies
  • Fifth of Execs Admit Security Flaws Cost Them New Biz
  • Online Safety Bill: Why is Ofcom being thrown under the bus?

Copyright © TheCyberSecurity.News, All Rights Reserved.