forked from security/wiki
30 lines
1.4 KiB
Markdown
30 lines
1.4 KiB
Markdown
|
# CVE-2024-6409: openssh
|
||
|
|
||
|
## Title
|
||
|
|
||
|
CVE-2024-6409: OpenSSH: Possible remote code execution in privsep child due to a race condition in signal handling
|
||
|
|
||
|
## Summary
|
||
|
|
||
|
As [discovered by Solar Designer (CIQ/Rocky Linux)](https://www.openwall.com/lists/oss-security/2024/07/08/2):
|
||
|
|
||
|
OpenSSH versions 8.7 and 8.8 and the corresponding portable releases call `cleanup_exit()` from `grace_alarm_handler()` when running in the privsep child process. `cleanup_exit()` was not meant to be called from a signal handler and may call other async-signal-unsafe functions. The current understanding is that in those upstream versions `cleanup_exit()` would not actually call async-signal-unsafe functions under those conditions, but with downstream distribution patches it sometimes does. Specifically, openssh-7.6p1-audit.patch found in Red Hat's package of OpenSSH adds code to `cleanup_exit()` that exposes the issue. Relevantly, this patch is found in EL 9, where the package is based on OpenSSH 8.7p1.
|
||
|
|
||
|
This is an EL9-specific issue similar to [CVE-2024-6387 regreSSHion](CVE-2024-6387.md).
|
||
|
|
||
|
Public disclosure date: July 8, 2024
|
||
|
|
||
|
## EL9
|
||
|
|
||
|
- Fixed in version: `8.7p1-38.1.el9_4.security.0.7` available July 8, 2024
|
||
|
|
||
|
## EL8
|
||
|
|
||
|
- Unaffected
|
||
|
|
||
|
## Mitigation
|
||
|
|
||
|
Set `LoginGraceTime 0` in `/etc/ssh/sshd_config` and do a `systemctl restart sshd`.
|
||
|
|
||
|
A drawback of this mitigation is that it will make the SSH server more susceptible to denial of service attacks.
|