Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <aUFnkZUz29e7mr8o@ucc.gu.uwa.edu.au>
Date: Tue, 16 Dec 2025 22:07:13 +0800
From: Matt Johnston <matt@....asn.au>
To: oss-security@...ts.openwall.com
Subject: Dropbear 2025.89 fixes privilege escalation, CVE-2025-14282

Forwarded from the dropbear list.

---

Dropbear 2025.89 is released. As well as various
improvements, this includes a security fix for privilege
escalation in Dropbear server. This affects versions 2024.84
to 2025.88, allowing any authenticated user to run arbitrary
programs as root (depending on other system programs).

A mitigation for affected versions is to disable unix socket
forwarding, either with  "dropbear -j" runtime argument
(will also disable TCP fowarding) or building with
localoptions.h / distrooptions.h
"#define DROPBEAR_SVR_LOCALSTREAMFWD 0".

The full fix of dropping privileges requires the commits in
https://github.com/mkj/dropbear/pull/391
https://github.com/mkj/dropbear/pull/394

Unix socket forwarding is now disabled when forced command
options are used, since it could bypass command restrictions.
This isn't directly related to the privilege escalation, but
could allow arbitrary commands to be run as the correct
user.

https://matt.ucc.asn.au/dropbear/
https://dropbear.nl/mirror/

Cheers,
Matt

2025.89 - 16 December 2025

- Security: Avoid privilege escalation via unix stream forwarding in Dropbear
  server. Other programs on a system may authenticate unix sockets via
  SO_PEERCRED, which would be root user for Dropbear forwarded connections,
  allowing root privilege escalation.
  Reported by Turistu, and thanks for advice on the fix.
  This is tracked as CVE-2025-14282, and affects 2024.84 to 2025.88.

  It is fixed by dropping privileges of the dropbear process after
  authentication. Unix stream sockets are now disallowed when a
  forced command is used, either with authorized_key restrictions or
  "dropbear -c command".

  In previous affected releases running with "dropbear -j" (will also disable
  TCP fowarding) or building with localoptions.h/distrooptions.h
  "#define DROPBEAR_SVR_LOCALSTREAMFWD 0" is a mitigation.

- Security: Include scp fix for CVE-2019-6111. This allowed
  a malicious server to overwrite arbitrary local files.
  The missing fix was reported by Ashish Kunwar.

- Server dropping privileges post-auth is enabled by default. This requires
  setresgid() support, so some platforms such as netbsd or macos will have to
  disable DROPBEAR_SVR_DROP_PRIVS in localoptions.h. Unix stream forwarding is
  not available if DROPBEAR_SVR_DROP_PRIVS is disabled.

  Remote server TCP socket forwarding will now use OS privileged port
  restrictions rather than having a fixed "allow >=1024 for non-root" rule.

  A future release may implement privilege dropping for netbsd/macos.

- Fix a regression in 2025.87 when RSA and DSS are not built. This would lead
  to a crash at startup with bad_bufptr().
  Reported by Dani Schmitt and Sebastian Priebe.

- Don't limit channel window to 500MB. That is could cause stuck connections
  if peers advise a large window and don't send an increment within 500MB.
  Affects SSH.NET https://github.com/sshnet/SSH.NET/issues/1671
  Reported by Rob Hague.

- Ignore -g -s when passwords arent enabled. Patch from Norbert Lange.
  Ignore -m (disable MOTD), -j/-k (tcp forwarding) when not enabled.

- Report SIGBUS and SIGTRAP signals. Patch from Loïc Mangeonjean.

- Fix incorrect server auth delay. Was meant to be 250-350ms, it was actually
  150-350ms or possibly negative (zero). Reported by pickaxprograms.

- Fix building without public key options. Thanks to Konstantin Demin

- Fix building with proxycmd but without netcat. Thanks to Konstantin Demin

- Fix incorrect path documentation for distrooptions, thanks to Todd Zullinger

- Fix SO_REUSEADDR for TCP tests, reported by vt-alt.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.