The officially official Devuan Forum!

You are not logged in.

#1 2024-07-01 16:06:15

siva
Member
Registered: 2018-01-25
Posts: 282  

CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems

Qualys writeup: https://www.qualys.com/2024/07/01/cve-2 … stract.com
Debian security tracker: https://security-tracker.debian.org/tra … -2024-6387
NIST report: https://nvd.nist.gov/vuln/detail/CVE-2024-6387

The Qualys writeup includes an in-depth walkthrough of the vulnerability. Can't find a standalone proof-of-concept at this time.

We discovered a vulnerability (a signal handler race condition) in
OpenSSH's server (sshd): if a client does not authenticate within
LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions),
then sshd's SIGALRM handler is called asynchronously, but this signal
handler calls various functions that are not async-signal-safe (for
example, syslog()). This race condition affects sshd in its default
configuration.

On investigation, we realized that this vulnerability is in fact a
regression of CVE-2006-5051 ("Signal handler race condition in OpenSSH
before 4.4 allows remote attackers to cause a denial of service (crash),
and possibly execute arbitrary code"), which was reported in 2006 by
Mark Dowd.

This regression was introduced in October 2020 (OpenSSH 8.5p1) by commit
752250c ("revised log infrastructure for OpenSSH"), which accidentally
removed an "#ifdef DO_LOG_SAFE_IN_SIGHAND" from sigdie(), a function
that is directly called by sshd's SIGALRM handler. In other words:

- OpenSSH < 4.4p1 is vulnerable to this signal handler race condition,
  if not backport-patched against CVE-2006-5051, or not patched against
  CVE-2008-4109, which was an incorrect fix for CVE-2006-5051;

- 4.4p1 <= OpenSSH < 8.5p1 is not vulnerable to this signal handler race
  condition (because the "#ifdef DO_LOG_SAFE_IN_SIGHAND" that was added
  to sigdie() by the patch for CVE-2006-5051 transformed this unsafe
  function into a safe _exit(1) call);

- 8.5p1 <= OpenSSH < 9.8p1 is vulnerable again to this signal handler
  race condition (because the "#ifdef DO_LOG_SAFE_IN_SIGHAND" was
  accidentally removed from sigdie()).

Offline

#2 2024-07-01 16:40:05

Altoid
Member
Registered: 2017-05-07
Posts: 1,571  

Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems

Hello:

Got the upgrade from Devuan early this morning:

Start-Date: 2024-07-01  07:09:32
Commandline: apt upgrade
Requested-By: groucho (1000)
Upgrade: openssh-client:amd64 (1:9.2p1-2+deb12u2, 1:9.2p1-2+deb12u3)
End-Date: 2024-07-01  07:09:34
Log started: 2024-07-01  07:09:32
Preparing to unpack .../openssh-client_1%3a9.2p1-2+deb12u3_amd64.deb ...
Unpacking openssh-client (1:9.2p1-2+deb12u3) over (1:9.2p1-2+deb12u2) ...
Setting up openssh-client (1:9.2p1-2+deb12u3) ...
Processing triggers for man-db (2.11.2-2) ...
Log ended: 2024-07-01  07:09:34

Best,

A.

Offline

#3 2024-07-01 19:01:48

siva
Member
Registered: 2018-01-25
Posts: 282  

Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems

Upgrade: openssh-client:amd64 (1:9.2p1-2+deb12u2, 1:9.2p1-2+deb12u3)

Now that you mention that, it looks like they released two fixes today: one to address the CVE in the server, and one to fix a separate issue in the client. https://www.openssh.com/releasenotes.html

Offline

#4 2024-07-04 06:03:59

ghp
Member
From: Zwevegem, Belgium
Registered: 2017-05-08
Posts: 22  

Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems

Any idea why this fix is not needed for daedalus on armhf?

openssh-server is already the newest version (1:9.2p1-2+deb12u2).

Linux Registered User #94362

Offline

#5 2024-07-06 14:16:22

siva
Member
Registered: 2018-01-25
Posts: 282  

Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems

Hate asking, but did you run apt update first? Debian's armhf version is at the correct version.

https://packages.debian.org/search?arch … ssh-server

Offline

#6 2024-07-06 17:55:43

ghp
Member
From: Zwevegem, Belgium
Registered: 2017-05-08
Posts: 22  

Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems

I know, Siva, but I'm running Devuan.   I've even tried with Debian's packages, which got me into a bit of a "pickle", if that's what the English call it.  I was hoping someone could tell me why Devuan is holding back.  May be a dependency problem?  But yes, I ran apt-get update, a number of times now since I read about regreSSHion.

Last edited by ghp (2024-07-06 17:58:31)


Linux Registered User #94362

Offline

#7 2024-07-06 18:05:51

ghp
Member
From: Zwevegem, Belgium
Registered: 2017-05-08
Posts: 22  

Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems

BTW, Siva, how does one know that  1:9.2p1-2+deb12u3 fixes regreSSHion?    Never mind, found it on Debian's changelog.   async-signal-unsafe  (https://metadata.ftp-master.debian.org/ … _changelog).

Last edited by ghp (2024-07-06 18:12:34)


Linux Registered User #94362

Offline

Board footer