FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

OpenSSH -- Double-free memory corruption in ssh-agent

Affected packages
8.2p1,1 <= openssh-portable < 8.4p1,1_4
8.2p1,1 <= openssh-portable-gssapi < 8.4p1,1_4
8.2p1,1 <= openssh-portable-hpn < 8.4p1,1_4

Details

VuXML ID 76b5068c-8436-11eb-9469-080027f515ea
Discovery 2021-03-03
Entry 2021-03-13

OpenBSD Project reports:

ssh-agent(1): fixed a double-free memory corruption that was introduced in OpenSSH 8.2 . We treat all such memory faults as potentially exploitable. This bug could be reached by an attacker with access to the agent socket.

On modern operating systems where the OS can provide information about the user identity connected to a socket, OpenSSH ssh-agent and sshd limit agent socket access only to the originating user and root. Additional mitigation may be afforded by the system's malloc(3)/free(3) implementation, if it detects double-free conditions.

The most likely scenario for exploitation is a user forwarding an agent either to an account shared with a malicious user or to a host with an attacker holding root access.

References

CVE Name CVE-2021-28041
URL https://www.openssh.com/txt/release-8.5