CVE-2024-6387: OpenSSH 9.8: regreSSHion: RCE in OpenSSH's server, on glibc-based Linux systems

[travier]

See:

• https://lwn.net/Articles/980211/
• https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt

We discovered a vulnerability (a signal handler race condition) in OpenSSH's server (sshd): if a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously, but this signal handler calls various functions that are not async-signal-safe (for example, syslog()). This race condition affects sshd in its default configuration.

They only have working exploits for i686 right now.

The configuration workarounds are not ideal unfortunately: https://lwn.net/ml/all/4f270df5-2b24-979d-c03f-6d8f3b9d007d@mindrot.org/

[travier]

Technically it's pending a package update in Fedora.

[cverna]

Update with the backported fix for F40 https://bodhi.fedoraproject.org/updates/FEDORA-2024-dc89a2e1bf

[travier]

I did https://github.com/coreos/fedora-coreos-config/actions/runs/9757857281 to fast-track it and it gets me:

Exception: Package openssh-9.6p1-1.fc40.4 doesn't match expected dist tag .fc40

[travier]

Did a manual fasttrack: https://github.com/coreos/fedora-coreos-config/pull/3047

[travier]

Alternative mitigation in https://social.treehouse.systems/@marcan/112715795823895634:

echo 'OPTIONS=-e' | sudo tee -a /etc/sysconfig/sshd && sudo systemctl restart sshd

[jlebon]

This was fixed in testing 40.20240701.2.0 and next 40.20240701.1.0. Currently, we are not planning an ad-hoc release for stable; it'll ship in stable next week.

[marmijo]

The fix for this went into stable stream release 40.20240701.3.0.