OpenSSH GSSAPI Key Exchange Uninitialized Pointer Dereference Vulnerability

A vulnerability exists in the OpenSSH GSSAPI key exchange patch implemented by various Linux distributions. This issue arises from the use of 'sshpkt_disconnect()', a non-terminating function, instead of 'ssh_packet_disconnect()', which properly terminates the process. As a result, an attacker can send a crafted GSSAPI message during the key exchange, leading to the unintentional use of an uninitialized variable. This flaw can cause the program to access random memory, potentially resulting in undefined behavior. The vulnerability is present in OpenSSH versions 8.9p1 and 9.1p1, specifically within the GSSAPI key exchange implementation.

Impact

Exploitation of this vulnerability causes a pre-authentication uninitialized pointer dereference, confirmed to corrupt the heap by freeing an uninitialized pointer, which triggers a crash. Additionally, it violates the privilege separation boundary by sending up to 127KB of heap data to the root monitor process, also via IPC, according to the Ubuntu security team.

Reproduction

To reproduce this vulnerability, send a crafted SSH packet of approximately 300 bytes during the GSSAPI key exchange phase. The packet should exploit the error-handling case by triggering the use of an uninitialized variable, which can then be manipulated to cause a heap corruption.

Remediation

Users can apply the patch provided by the Ubuntu security team, which replaces 'sshpkt_disconnect()' with 'ssh_packet_disconnect()' at the relevant call sites in the GSSAPI key exchange server code.