38
submitted 5 months ago by thomask to c/cybersecurity@sh.itjust.works

The following summary from Debian's security list:

The Qualys Threat Research Unit (TRU) discovered that OpenSSH, an implementation of the SSH protocol suite, is prone to a signal handler race condition. If a client does not authenticate within LoginGraceTime seconds (120 by default), then sshd's SIGALRM handler is called asynchronously and calls various functions that are not async-signal-safe. A remote unauthenticated attacker can take advantage of this flaw to execute arbitrary code with root privileges. This flaw affects sshd in its default configuration.

top 5 comments
sorted by: hot top controversial new old
[-] cron@feddit.org 4 points 5 months ago
[-] qprimed@lemmy.ml 1 points 5 months ago* (last edited 5 months ago)

indeed, but your SSH ports should not be hanging out in the wind for any old IP to hit.

[-] cron@feddit.org 3 points 5 months ago

openssh is typically quite robust, this is a rare exception

[-] onlinepersona@programming.dev 2 points 5 months ago

On June 6, 2024, this signal handler race condition was fixed by commit 81c1099 ("Add a facility to sshd(8) to penalise particular problematic client behaviours"), which moved the async-signal-unsafe code from sshd's SIGALRM handler to sshd's listener process, where it can be handled synchronously:

https://github.com/openssh/openssh-portable/commit/81c1099d22b81ebfd20a334ce986c4f753b0db29

Because this fix is part of a large commit (81c1099), on top of an even larger defense-in-depth commit (03e3de4, "Start the process of splitting sshd into separate binaries"), it might prove difficult to backport.

Oh shit, now squash on merge folks can claim "defense-in-depth".

Always makes me think of this comic by geek and poke

Anti Commercial-AI license

[-] infeeeee@lemm.ee 2 points 5 months ago

It says 4.4 to 8.4 versions are not vulnerable. A lot of old distro releases are on these versions, Debian 10, 11, Ubuntu 20.04 LTS is not affected https://pkgs.org/download/openssh-server

this post was submitted on 01 Jul 2024
38 points (100.0% liked)

Cybersecurity

5754 readers
164 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Community Rules

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !cybersecurity@lemmy.capebreton.social !securitynews@infosec.pub !netsec@links.hackliberty.org !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 1 year ago
MODERATORS