Critical OpenSSH GSSAPI Flaw Threatens Linux Servers

Critical OpenSSH GSSAPI Flaw Threatens Linux Servers

Posted on By CWS

A critical security flaw has been identified in the GSSAPI Key Exchange protocol, impacting numerous Linux distributions using OpenSSH. This vulnerability, cataloged as CVE-2026-3497, allows attackers to reliably crash SSH child processes and potentially breach privilege boundaries with a single malicious packet.

Discovery and Technical Details

Security researcher Jeremy Brown uncovered the defect within the server-side GSSAPI key exchange handler, specifically in the kexgsss.c file. The issue arises from the incorrect use of sshpkt_disconnect() instead of ssh_packet_disconnect() in error-handling code. This oversight leads to the transmission of uninitialized stack variable data, potentially causing heap memory corruption.

The vulnerability is classified under CWE-824 and CWE-908, with severe implications. A crafted SSH packet, approximately 300 bytes in size, can trigger the flaw without authentication. This results in significant security risks, including SIGABRT or SIGSEGV signals and reliable child process crashes in tested configurations.

Impact and Exploitation

The severity of the flaw varies based on compiler options and optimization flags across different distributions. Notably, systems compiled with Clang using -O0 show a pointer value of 0xfffbe600, whereas GCC with -O2 and -fno-stack-protector results in a valid heap address of 127,344 bytes. This discrepancy highlights the diverse impact across Linux systems.

Tests across eight builds revealed that the recv_tok.value could range from NULL to various memory regions. This vulnerability predominantly affects Ubuntu and Debian systems with the GSSAPI key exchange enabled, yet the impact likely spans further due to multiple GSSAPI KEX patch versions.

Mitigation and Recommendations

To address this vulnerability, administrators should replace all instances of sshpkt_disconnect() with ssh_packet_disconnect() within the kexgsss.c file. Ubuntu has already issued a patch to resolve this issue. It is crucial for system administrators to promptly apply updates or disable the GSSAPIKeyExchange temporarily to mitigate potential risks.

Staying informed about security updates is vital for maintaining system integrity. Follow reliable cybersecurity news sources for the latest information and updates. Administrators are encouraged to monitor their systems closely and ensure patches are applied promptly to safeguard against exploitation.

Cyber Security News Tags:, , , , , , , , , , , ,

Related Posts

Telegram-Based ResokerRAT Threatens Windows Security Telegram-Based ResokerRAT Threatens Windows Security Cyber Security News
Report Reveals Tool Overload Driving Fatigue and Missed Threats in MSPs Report Reveals Tool Overload Driving Fatigue and Missed Threats in MSPs Cyber Security News
Anthropic Introduces AI-Driven Code Security Analysis Anthropic Introduces AI-Driven Code Security Analysis Cyber Security News
New Android Malware Mimics as SBI Card, Axis Bank Apps to Steal Users Financial Data New Android Malware Mimics as SBI Card, Axis Bank Apps to Steal Users Financial Data Cyber Security News
LexisNexis Breach Exposes Data from AWS Servers LexisNexis Breach Exposes Data from AWS Servers Cyber Security News
MacOS Users Targeted by New Phishing Email Scam MacOS Users Targeted by New Phishing Email Scam Cyber Security News