published release Openssh 9.2 , open sales of a client and server for working on protocols SSH 2.0 and SFTP. The new version is eliminated by vulnerability , leading to double release of the memory area before passing before passing authentication. Openssh 9.1 is subject to vulnerability, the problem is not manifested in earlier versions.
to create the conditions of manifestation of vulnerabilities, it is enough to change the SSH-client banner to “SSH-2.0-FUTTYSH_9.1P1” in order to achieve the flags “SSH_BUG_CURVE25519PAD” and “SSH_LD_DHGEX” depending on the version of the SSH client. После выставления данных флагов память под буфер “options.kex_algorithms” освобождается два раза – при выполнении функции do_ssh2_kex(), вызывающей compat_kex_proposal(), и при выполнении функции do_authentication2(), вызывающей по цепочке input_userauth_request(), mm_getpwnamallow(), copy_set_server_options() , asemble_algorithms () and kex_assemble_names ().
The creation of a working exploit for vulnerability is considered unlikely, since the operation process is too complicated-modern memory distribution libraries provide protection against double-free memory, and the PRE-Abuth process, which has an error, is performed with reduced privileges in isolated Sandbox combustion.
In addition to the marked vulnerability in the new issue, two more safety problems were also eliminated:
- Error when processing the setting “ permitremoteopen “, which leads to ignoring the first argument, if it differs from “Any” values and “None”. The problem is manifested in versions of the new Openssh 8.7 and leads to a check of verification when only one authority is specified.
- Attacking, controlling the DNS server used to determine names, can achieve a substitution of special systems (for example, “*”) in the KNOWN_HOSTS files, if the configuration includes the CanonICALIZEHOSTNAME options and CanonicalizepermitCnames, and the system resolution does not verify the correctness of the answers from the DNS server. . The attack is considered as unlikely, since the returned names must correspond
The conditions set through CanonicalizepermitedCnames.
Other changes:
- SSH_CONFIG for SSH adds the Enableescapecommandline settings,
Managing the inclusion of processing on the side of the client ESCAPE-sequence “~ C”, which provides a command line. By default, the processing of “~ c” is now disabled for use by a more stringent Sandbox insulation, which can potentially lead to a violation of the systems in which “~ c” is used to redirect ports during operation. - SSHD_Config for SSHD added the ChannelTimeout directive to set the channel inactivity (channels in which traffic is not recorded for the time specified in the directive). For a session, x11, agent and traffic redirects, different timauts can be set.