Name of the Vulnerable Software and Affected Versions:

OpenSSH versions 9.5p1 through 9.9p1

Description:

A flaw was found in the OpenSSH package, where for each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become unavailable, resulting in a denial of service attack. This issue can be exploited through memory exhaustion or CPU consumption, allowing an attacker to crash OpenSSH or disrupt operations.

Recommendations:

To mitigate this issue, upgrade to OpenSSH 9.9p2 immediately. Additionally, review SSH configurations to ensure security settings are properly enforced. As a temporary workaround, consider using the existing PerSourcePenalties feature to mitigate the condition. Restrict access to the vulnerable `SSH2 MSG PING` packets to minimize the risk of exploitation. Avoid using the `PING`/`PONG` messages between a client and a server until the issue is resolved.