The release of OpenSSH 9.2, an open implementation of the client and server for working over the SSH 2.0 and SFTP protocols, has been published. The new version fixes a vulnerability leading to double freeing of a memory area at the stage before passing authentication. The vulnerability affects only the release of OpenSSH 9.1, in earlier versions the problem does not appear.
To create conditions for the manifestation of a vulnerability, it is enough to change the banner of the SSH client to "SSH-2.0-FuTTYSH_9.1p1" in order to set the flags "SSH_BUG_CURVE25519PAD" and "SSH_OLD_DHGEX", depending on the version of the SSH client. After setting these flags, the memory for the "options.kex_algorithms" buffer is freed twice - when executing the do_ssh2_kex() function, which calls compat_kex_proposal(), and when executing the do_authentication2() function, which calls input_userauth_request(), mm_getpwnamallow(), copy_set_server_options() along the chain , assemble_algorithms() and kex_assemble_names().
The creation of a working exploit for the vulnerability is considered unlikely, since the exploitation process is too complicated - modern memory allocation libraries provide protection against double freeing of memory, and the pre-auth process, in which there is an error, is executed with reduced privileges in an isolated sandbox environment.
In addition to the noted vulnerability, the new release also fixes two more security issues:
- Error processing "PermitRemoteOpen" setting causing the first argument to be ignored if it is different from "any" and "none". The problem appears in versions newer than OpenSSH 8.7 and causes the check to be skipped when only one permission is specified.
- An attacker that controls the DNS server used to resolve names can achieve the substitution of special characters (for example, "*") in known_hosts files if the CanonicalizeHostname and CanonicalizePermittedCNAMEs options are enabled in the configuration, and the system resolver does not check the correctness of responses from the DNS server. The attack is considered unlikely to be carried out, since the returned names must match the conditions specified via CanonicalizePermittedCNAMEs.
Other changes:
- Added an EnableEscapeCommandline setting to ssh_config to control whether client-side processing of the "~C" escape sequence providing the command line is enabled. By default, "~C" processing is now disabled to allow tighter sandboxing, potentially breaking systems that use "~C" for port forwarding at run time.
- The ChannelTimeout directive has been added to sshd_config for sshd to set the channel inactivity timeout (channels in which traffic has not been detected during the time specified in the directive will be automatically closed). Session, X11, agent, and redirect traffic can have different timeouts.
- Added the UnusedConnectionTimeout directive to sshd_config for sshd, which allows you to set a timeout for terminating client connections that have been without active channels for a certain time.
- Added '-V' option to sshd to display version similar to ssh client option.
- Added "Host" string to "ssh -G" output to reflect the value of the hostname argument.
- Added "-X" option to scp and sftp to control SFTP protocol parameters such as copy buffer size and number of pending requests.
- ssh-keyscan allows full CIDR address ranges to be scanned, such as "ssh-keyscan 192.168.0.0/24".
Source: opennet.ru