<![CDATA[Dev1 Galaxy Forum / CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems]]> https://dev1galaxy.org/viewtopic.php?id=6702 Sat, 06 Jul 2024 18:05:51 +0000 FluxBB <![CDATA[Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems]]> https://dev1galaxy.org/viewtopic.php?pid=50947#p50947 BTW, Siva, how does one know that  1:9.2p1-2+deb12u3 fixes regreSSHion?    Never mind, found it on Debian's changelog.   async-signal-unsafe  (https://metadata.ftp-master.debian.org/ … _changelog).

]]> Sat, 06 Jul 2024 18:05:51 +0000 https://dev1galaxy.org/viewtopic.php?pid=50947#p50947 <![CDATA[Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems]]> https://dev1galaxy.org/viewtopic.php?pid=50946#p50946 I know, Siva, but I'm running Devuan.   I've even tried with Debian's packages, which got me into a bit of a "pickle", if that's what the English call it.  I was hoping someone could tell me why Devuan is holding back.  May be a dependency problem?  But yes, I ran apt-get update, a number of times now since I read about regreSSHion.

]]> Sat, 06 Jul 2024 17:55:43 +0000 https://dev1galaxy.org/viewtopic.php?pid=50946#p50946 <![CDATA[Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems]]> https://dev1galaxy.org/viewtopic.php?pid=50944#p50944 Hate asking, but did you run apt update first? Debian's armhf version is at the correct version.

https://packages.debian.org/search?arch … ssh-server

]]> Sat, 06 Jul 2024 14:16:22 +0000 https://dev1galaxy.org/viewtopic.php?pid=50944#p50944 <![CDATA[Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems]]> https://dev1galaxy.org/viewtopic.php?pid=50922#p50922 Any idea why this fix is not needed for daedalus on armhf?

openssh-server is already the newest version (1:9.2p1-2+deb12u2).
]]> Thu, 04 Jul 2024 06:03:59 +0000 https://dev1galaxy.org/viewtopic.php?pid=50922#p50922 <![CDATA[Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems]]> https://dev1galaxy.org/viewtopic.php?pid=50871#p50871 
Upgrade: openssh-client:amd64 (1:9.2p1-2+deb12u2, 1:9.2p1-2+deb12u3)

Now that you mention that, it looks like they released two fixes today: one to address the CVE in the server, and one to fix a separate issue in the client. https://www.openssh.com/releasenotes.html

]]> Mon, 01 Jul 2024 19:01:48 +0000 https://dev1galaxy.org/viewtopic.php?pid=50871#p50871 <![CDATA[Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems]]> https://dev1galaxy.org/viewtopic.php?pid=50870#p50870 Hello:

Got the upgrade from Devuan early this morning:

Start-Date: 2024-07-01  07:09:32
Commandline: apt upgrade
Requested-By: groucho (1000)
Upgrade: openssh-client:amd64 (1:9.2p1-2+deb12u2, 1:9.2p1-2+deb12u3)
End-Date: 2024-07-01  07:09:34
Log started: 2024-07-01  07:09:32
Preparing to unpack .../openssh-client_1%3a9.2p1-2+deb12u3_amd64.deb ...
Unpacking openssh-client (1:9.2p1-2+deb12u3) over (1:9.2p1-2+deb12u2) ...
Setting up openssh-client (1:9.2p1-2+deb12u3) ...
Processing triggers for man-db (2.11.2-2) ...
Log ended: 2024-07-01  07:09:34

Best,

A.

]]> Mon, 01 Jul 2024 16:40:05 +0000 https://dev1galaxy.org/viewtopic.php?pid=50870#p50870 <![CDATA[CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems]]> https://dev1galaxy.org/viewtopic.php?pid=50866#p50866 Qualys writeup: https://www.qualys.com/2024/07/01/cve-2 … stract.com
Debian security tracker: https://security-tracker.debian.org/tra … -2024-6387
NIST report: https://nvd.nist.gov/vuln/detail/CVE-2024-6387

The Qualys writeup includes an in-depth walkthrough of the vulnerability. Can't find a standalone proof-of-concept at this time.

We discovered a vulnerability (a signal handler race condition) in
OpenSSH's server (sshd): if a client does not authenticate within
LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions),
then sshd's SIGALRM handler is called asynchronously, but this signal
handler calls various functions that are not async-signal-safe (for
example, syslog()). This race condition affects sshd in its default
configuration.

On investigation, we realized that this vulnerability is in fact a
regression of CVE-2006-5051 ("Signal handler race condition in OpenSSH
before 4.4 allows remote attackers to cause a denial of service (crash),
and possibly execute arbitrary code"), which was reported in 2006 by
Mark Dowd.

This regression was introduced in October 2020 (OpenSSH 8.5p1) by commit
752250c ("revised log infrastructure for OpenSSH"), which accidentally
removed an "#ifdef DO_LOG_SAFE_IN_SIGHAND" from sigdie(), a function
that is directly called by sshd's SIGALRM handler. In other words:

- OpenSSH < 4.4p1 is vulnerable to this signal handler race condition,
  if not backport-patched against CVE-2006-5051, or not patched against
  CVE-2008-4109, which was an incorrect fix for CVE-2006-5051;

- 4.4p1 <= OpenSSH < 8.5p1 is not vulnerable to this signal handler race
  condition (because the "#ifdef DO_LOG_SAFE_IN_SIGHAND" that was added
  to sigdie() by the patch for CVE-2006-5051 transformed this unsafe
  function into a safe _exit(1) call);

- 8.5p1 <= OpenSSH < 9.8p1 is vulnerable again to this signal handler
  race condition (because the "#ifdef DO_LOG_SAFE_IN_SIGHAND" was
  accidentally removed from sigdie()).

]]> Mon, 01 Jul 2024 16:06:15 +0000 https://dev1galaxy.org/viewtopic.php?pid=50866#p50866