Critical OpenSSH GSSAPI Flaw Threatens Linux Servers

Critical OpenSSH GSSAPI Flaw Threatens Linux Servers

Posted on By CWS

A critical security flaw has been identified in the GSSAPI Key Exchange protocol, impacting numerous Linux distributions using OpenSSH. This vulnerability, cataloged as CVE-2026-3497, allows attackers to reliably crash SSH child processes and potentially breach privilege boundaries with a single malicious packet.

Discovery and Technical Details

Security researcher Jeremy Brown uncovered the defect within the server-side GSSAPI key exchange handler, specifically in the kexgsss.c file. The issue arises from the incorrect use of sshpkt_disconnect() instead of ssh_packet_disconnect() in error-handling code. This oversight leads to the transmission of uninitialized stack variable data, potentially causing heap memory corruption.

The vulnerability is classified under CWE-824 and CWE-908, with severe implications. A crafted SSH packet, approximately 300 bytes in size, can trigger the flaw without authentication. This results in significant security risks, including SIGABRT or SIGSEGV signals and reliable child process crashes in tested configurations.

Impact and Exploitation

The severity of the flaw varies based on compiler options and optimization flags across different distributions. Notably, systems compiled with Clang using -O0 show a pointer value of 0xfffbe600, whereas GCC with -O2 and -fno-stack-protector results in a valid heap address of 127,344 bytes. This discrepancy highlights the diverse impact across Linux systems.

Tests across eight builds revealed that the recv_tok.value could range from NULL to various memory regions. This vulnerability predominantly affects Ubuntu and Debian systems with the GSSAPI key exchange enabled, yet the impact likely spans further due to multiple GSSAPI KEX patch versions.

Mitigation and Recommendations

To address this vulnerability, administrators should replace all instances of sshpkt_disconnect() with ssh_packet_disconnect() within the kexgsss.c file. Ubuntu has already issued a patch to resolve this issue. It is crucial for system administrators to promptly apply updates or disable the GSSAPIKeyExchange temporarily to mitigate potential risks.

Staying informed about security updates is vital for maintaining system integrity. Follow reliable cybersecurity news sources for the latest information and updates. Administrators are encouraged to monitor their systems closely and ensure patches are applied promptly to safeguard against exploitation.

Cyber Security News Tags:, , , , , , , , , , , ,

Related Posts

Salesloft Drift Hacked to Steal OAuth Tokens and Exfiltrate from Salesforce Corporate Instances Salesloft Drift Hacked to Steal OAuth Tokens and Exfiltrate from Salesforce Corporate Instances Cyber Security News
APT MuddyWater Attacking CFOs Leveraging OpenSSH, Enables RDP, and Scheduled Task APT MuddyWater Attacking CFOs Leveraging OpenSSH, Enables RDP, and Scheduled Task Cyber Security News
Lenovo IdeaCentre and Yoga Laptop BIOS Vulnerabilities Execute Arbitrary Code Lenovo IdeaCentre and Yoga Laptop BIOS Vulnerabilities Execute Arbitrary Code Cyber Security News
New Mamona Ransomware Attack Windows Machines by Abusing Ping Commands New Mamona Ransomware Attack Windows Machines by Abusing Ping Commands Cyber Security News
Cybersecurity Alert: Fake CAPTCHA Attack Endangers Enterprises Cybersecurity Alert: Fake CAPTCHA Attack Endangers Enterprises Cyber Security News
Sturnus Banking Malware Steals Communications from Signal and WhatsApp, Gaining Full Control of The Device Sturnus Banking Malware Steals Communications from Signal and WhatsApp, Gaining Full Control of The Device Cyber Security News