CVE-2024-6409: openssh¶
Title¶
CVE-2024-6409: OpenSSH: Possible remote code execution in privsep child due to a race condition in signal handling
Summary¶
As discovered by Solar Designer (CIQ/Rocky Linux):
OpenSSH versions 8.7 and 8.8 and the corresponding portable releases call cleanup_exit()
from grace_alarm_handler()
when running in the privsep child process. cleanup_exit()
was not meant to be called from a signal handler and may call other async-signal-unsafe functions. The current understanding is that in those upstream versions cleanup_exit()
would not actually call async-signal-unsafe functions under those conditions, but with downstream distribution patches it sometimes does. Specifically, openssh-7.6p1-audit.patch found in Red Hat's package of OpenSSH adds code to cleanup_exit()
that exposes the issue. Relevantly, this patch is found in EL 9, where the package is based on OpenSSH 8.7p1.
This is an EL9-specific issue similar to CVE-2024-6387 regreSSHion.
Public disclosure date: July 8, 2024
EL9¶
- Fixed in version:
8.7p1-38.1.el9_4.security.0.7
available July 8, 2024
EL8¶
- Unaffected
Mitigation¶
Set LoginGraceTime 0
in /etc/ssh/sshd_config
and do a systemctl restart sshd
.
A drawback of this mitigation is that it will make the SSH server more susceptible to denial of service attacks.