Skip to content

CVE-2024-6409: openssh

Title

CVE-2024-6409: OpenSSH: Possible remote code execution in privsep child due to a race condition in signal handling

Summary

As discovered by Solar Designer (CIQ/Rocky Linux):

OpenSSH versions 8.7 and 8.8 and the corresponding portable releases call cleanup_exit() from grace_alarm_handler() when running in the privsep child process. cleanup_exit() was not meant to be called from a signal handler and may call other async-signal-unsafe functions. The current understanding is that in those upstream versions cleanup_exit() would not actually call async-signal-unsafe functions under those conditions, but with downstream distribution patches it sometimes does. Specifically, openssh-7.6p1-audit.patch found in Red Hat's package of OpenSSH adds code to cleanup_exit() that exposes the issue. Relevantly, this patch is found in EL 9, where the package is based on OpenSSH 8.7p1.

This is an EL9-specific issue similar to CVE-2024-6387 regreSSHion.

Public disclosure date: July 8, 2024

EL9

  • Fixed in version: 8.7p1-38.1.el9_4.security.0.7 available July 8, 2024

EL8

  • Unaffected

Mitigation

Set LoginGraceTime 0 in /etc/ssh/sshd_config and do a systemctl restart sshd.

A drawback of this mitigation is that it will make the SSH server more susceptible to denial of service attacks.