Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1935055 (CVE-2021-28041) - CVE-2021-28041 openssh: double-free memory corruption may lead to arbitrary code execution
Summary: CVE-2021-28041 openssh: double-free memory corruption may lead to arbitrary c...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2021-28041
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1935057 1936971
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-03-04 10:25 UTC by Marian Rehak
Modified: 2022-04-17 21:11 UTC (History)
11 users (show)

Fixed In Version: openssh 8.5
Doc Type: If docs needed, set a value
Doc Text:
A double-free memory corruption flaw was found in OpenSSH 8.2, more specifically in ssh-agent application. This flaw allows an attacker with access to the agent socket to forward an agent either to an account shared with a malicious user or to a host with an attacker holding root access. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-03-08 19:01:49 UTC
Embargoed:


Attachments (Terms of Use)

Description Marian Rehak 2021-03-04 10:25:53 UTC
A double-free memory corruption, introduced in OpenSSH 8.2, that could be reached by an attacker with access to the agent socket. Exploitable by a user forwarding an agent either to an account shared with a malicious user or to a host with an attacker holding root access.

Reference:

https://www.openssh.com/txt/release-8.5

Comment 1 Marian Rehak 2021-03-04 10:27:08 UTC
Created openssh tracking bugs for this issue:

Affects: fedora-all [bug 1935057]

Comment 9 Marco Benatto 2021-03-09 17:49:31 UTC
External References:

https://www.openssh.com/txt/release-8.5

Comment 10 RaTasha Tillery-Smith 2021-03-11 13:31:38 UTC
Statement:

This issue doesn't affected any versions of OpenSSH packaged and shipped with Red Hat Enterprise Linux 6, 7 and 8. The issue was introduced in OpenSSH 8.2 while the most recent OpenSSH version available for Red Hat Enterprise Linux 8 is based on OpenSSH  8.0.

Comment 11 Marco Benatto 2021-03-12 18:32:32 UTC
Upstream fix:
https://github.com/openssh/openssh-portable/commit/e04fd6dde16de1cdc5a4d9946397ff60d96568db

The double free happens on ssh-agent


Note You need to log in before you can comment on or make changes to this bug.