SSH server Dropbear allows privilege escalation
The lean SSH server Dropbear is closing a privilege escalation vulnerability with an updated version, among other things.
(Image: Tatiana Popova/Shutterstock.com)
A security vulnerability in the lean SSH server Dropbear allows attackers to escalate their privileges on the system. Updated software packages close the security gap.
Dropbear is often used on single-board computer systems and routers due to its small size, for example in OpenWRT. Now the developers have released Dropbear version 2025.89 and write in the announcement that in older versions up to and including Dropbear 2024.84, attackers can start arbitrary programs on the system as “root” if they exploit a security vulnerability in Dropbear.
Temporary Countermeasure
The cause of the security leak is the forwarding of Unix sockets. Other programs on the system can authenticate Unix sockets using SO_PEERCRED, which in the case of connections forwarded by Dropbear is the user “root,” which allows the escalation of one's own privileges, the Dropbear programmers explain (CVE-2025-14282, CVSS 9.8, Risk “critical”).
Those who cannot update yet can help themselves by preventing access to Unix socket forwarding. This is done by calling with the command-line parameter dropbear -j – which, however, also deactivates TCP forwarding at the same time. Those who build Dropbear from source themselves can also set a define appropriately in the header files “localoptions.h” and “distrooptions.h”: “#define DROPBEAR_SVR_LOCALSTREAMFWD 0” ensures that the vulnerable function is not executed. However, the complete fix requires more far-reaching changes.
“Unix socket forwarding is now disabled when forced command options are used, as they could bypass command restrictions,” explain the Dropbear developers. This is not directly related to privilege escalation but could allow the execution of arbitrary commands as the correct user.
Videos by heise
The risk classification as “critical” of the vulnerability comes from CERT-Bund. Anyone using Dropbear as an SSH server should look for updated packages and install them promptly. If this is not yet possible, the proposed workaround helps to secure your installation.
(dmk)
