The launch of the new version of the open implementation of client and server to work with SSH 2.0 and SFTP protocols, "OpenSSH 9.2".
The new version fixes a vulnerability, which leads to the double freeing of a memory area in the pre-authentication stage. vulnerability affects only the release of OpenSSH 9.1, in previous versions the problem does not appear.
To create conditions for the manifestation of a vulnerability, it is enough to change the banner of the SSH client to "SSH-2.0-FuTTYSH_9.1p1" to achieve the configuration of the flags "SSH_BUG_CURVE25519PAD" and "SSH_OLD_DHGEX", depending on the version of the SSH client.
After setting these flags, the memory for the "options.kex_algorithms" buffer is freed twice: by executing the do_ssh2_kex() function, which calls compat_kex_proposal(), and by executing the do_authentication2() function, which calls input_userauth_request( ), mm_getpwnamallow( ), copy_set_server_options() along the chain, ensemble_algorithms() and kex_assemble_names().
It is considered unlikely to create a working exploit for the vulnerability, since the exploitation process is too complicated: modern memory allocation libraries provide protection against double freeing of memory, and the pre-authentication process, in which there is a bug, runs with reduced privileges in a sandbox.
In addition to the mentioned vulnerability, the new version also fixes two more security issues:
- An error occurred while processing the "PermitRemoteOpen" setting, which caused the first argument to be ignored if it is different from the values "any" and "none". The issue appears in versions after OpenSSH 8.7 and causes the check to be skipped when only one permission is specified.
- An attacker controlling the DNS server used to resolve names can achieve the substitution of special characters (for example, "*") in known hosts files if the CanonicalizeHostname and CanonicalizePermittedCNAMEs options are enabled in the configuration and the resolver does not verify the correction of DNS server responses. The attack is considered unlikely to succeed as the names returned must match the conditions specified via CanonicalizePermittedCNAME.
Table of Contents
What's new in OpenSSH 9.2
Of the changes that were made in OpenSSH 9.2 it stands out that added a configurationon EnableEscapeCommandline a ssh_config to control whether client-side processing of the "~C" escape sequence whenever the command line is enabled. By default, "~C" processing is now disabled to allow stricter sandboxing, which could break systems that use "~C" for port forwarding at runtime
Has added ChannelTimeout directive to sshd_config for sshd to set the channel idle timeout (Channels on which no traffic has been detected for the time specified in the policy will be automatically closed.) Session, X11, agent, and redirect traffic can have different timeouts.
Of the other changes:
- Added an UnusedConnectionTimeout directive to sshd_config for sshd, which allows you to set a timeout for terminating connections from clients that have had no active channels for a certain amount of time.
- Added the "-V" option to sshd to display a version similar to the ssh client option.
- Added the string "host" to the output of "ssh -G" to reflect the value of the hostname argument.
- Added the "-X" option to scp and sftp to control SFTP parameters such as copy buffer size and number of pending requests.
- ssh-keyscan allows you to scan entire ranges of CIDR addresses, for example, “ssh-keyscan 192.168.0.0/24”.
Finally if you are interested in knowing more about it about this new version, you can check the details by going to the following link.
How to install OpenSSH 9.2 on Linux?
For those who are interested in being able to install this new version of OpenSSH on their systems, for now they can do it downloading the source code of this and performing the compilation on their computers.
This is because the new version has not yet been included in the repositories of the main Linux distributions. To get the source code, you can do from the following link.
Done the download, now we are going to unzip the package with the following command:
tar -xvf openssh-9.2.tar.gz
We enter the created directory:
Y we can compile with the following commands:
./configure --prefix=/opt --sysconfdir=/etc/ssh make make install
2 comments, leave yours
"In a hurry?"…
Well, I do take them out, hehe.
Thanks for the observation.