regreSSHion: RCE in OpenSSH's server, on glibc-based Linux systems (CVE-2024-6387) (www.qualys.com)

submitted 5 days ago by thomask to c/cybersecurity@sh.itjust.works

5 comments fedilink hide all child comments

The following summary from Debian's security list:

The Qualys Threat Research Unit (TRU) discovered that OpenSSH, an implementation of the SSH protocol suite, is prone to a signal handler race condition. If a client does not authenticate within LoginGraceTime seconds (120 by default), then sshd's SIGALRM handler is called asynchronously and calls various functions that are not async-signal-safe. A remote unauthenticated attacker can take advantage of this flaw to execute arbitrary code with root privileges. This flaw affects sshd in its default configuration.

top 5 comments

sorted by: hot top controversial new old

[-] cron@feddit.org 4 points 5 days ago

That looks horrible.

[-] qprimed@lemmy.ml 1 points 5 days ago* (last edited 5 days ago)

indeed, but your SSH ports should not be hanging out in the wind for any old IP to hit.

[-] cron@feddit.org 3 points 5 days ago

openssh is typically quite robust, this is a rare exception

[-] onlinepersona@programming.dev 2 points 5 days ago

On June 6, 2024, this signal handler race condition was fixed by commit 81c1099 ("Add a facility to sshd(8) to penalise particular problematic client behaviours"), which moved the async-signal-unsafe code from sshd's SIGALRM handler to sshd's listener process, where it can be handled synchronously:

https://github.com/openssh/openssh-portable/commit/81c1099d22b81ebfd20a334ce986c4f753b0db29

Because this fix is part of a large commit (81c1099), on top of an even larger defense-in-depth commit (03e3de4, "Start the process of splitting sshd into separate binaries"), it might prove difficult to backport.

Oh shit, now squash on merge folks can claim "defense-in-depth".

Always makes me think of this comic by geek and poke

Anti Commercial-AI license

[-] infeeeee@lemm.ee 2 points 5 days ago

It says 4.4 to 8.4 versions are not vulnerable. A lot of old distro releases are on these versions, Debian 10, 11, Ubuntu 20.04 LTS is not affected https://pkgs.org/download/openssh-server

this post was submitted on 01 Jul 2024

38 points (100.0% liked)

Cybersecurity

4987 readers

78 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Be respectful. Everyone should feel welcome here.
No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
No Ads / Spamming.
No pornography.

Community Rules

Idk, keep it semi-professional?
Nothing illegal. We're all ethical here.
Rules will be added/redefined as necessary.

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !cybersecurity@lemmy.capebreton.social !securitynews@infosec.pub !netsec@links.hackliberty.org !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 1 year ago

MODERATORS

kid@sh.itjust.works

Lanky_Pomegranate530@midwest.social