|
|
Subscribe / Log in / New account

Arch Linux alert ASA-202407-1 (openssh)



From:
              Levente Polyak <anthraxx@archlinux.org>


To:
              arch-security@lists.archlinux.org


Subject:
              [ASA-202407-1] openssh: authentication bypass


Date:
              Mon, 01 Jul 2024 20:42:18 +0200


Message-ID:
              <ce682ff3-10ce-4845-af9d-77cddedaf61c@archlinux.org>


Archive-link:
              Article


Arch Linux Security Advisory ASA-202407-1
=========================================

Severity: High
Date    : 2024-07-01
CVE-ID  : CVE-2024-6387
Package : openssh
Type    : authentication bypass
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2855

Summary
=======

The package openssh before version 9.8p1-1 is vulnerable to
authentication bypass.

Resolution
==========

Upgrade to 9.8p1-1.

# pacman -Syu "openssh>=9.8p1-1"

The problem has been fixed upstream in version 9.8p1.

Workaround
==========

Set LoginGraceTime to 0 in /etc/ssh/sshd_config. This makes sshd
vulnerable to a denial of service (the exhaustion of all MaxStartups
connections), but it makes it safe from this vulnerability.

Description
===========

A signal handler race condition was found in OpenSSH's server (sshd),
where a client does not authenticate within LoginGraceTime seconds (120
by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler
is called asynchronously. However, this signal handler calls various
functions that are not async-signal-safe, for example, syslog().

Impact
======

A remote attacker could use this issue to bypass authentication and
remotely access systems without proper credentials. During upgrade, the
sshd service must be restarted right away using the same connection to
avoid being locked out.

References
==========

https://www.openwall.com/lists/oss-security/2024/07/01/3
https://www.qualys.com/2024/07/01/cve-2024-6387/regresshi...
https://github.com/openssh/openssh-portable/commit/81c109...
https://security.archlinux.org/CVE-2024-6387




Attachment: OpenPGP_signature.asc (type=application/pgp-signature)

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE4kC1fixGMLp2ji8m/BtUfI2BcsgFAmaC+IoACgkQ/BtUfI2B
cshJlA/9FV6fIsUzBX8DVpjc/HdN9oYbPyVeB0YzDK6ib8nZRQDyyk5GadlyyfyL
pYpzIfS0wHCMOd0JEnsMcgtncVhsI5Z0jX3S4FYT7BIX1fApEVRt9mBzR247CDN+
tUfrXS9H4gXRI7mfIli5rfryk3b/KzUg/qaO+bGztOzO4WMyMsT4SXv7pgoIqJnE
0lKCOK4Iamtrm4zfiieerNTGbnULIGgw/e6CpnNlCxmE7O/Gsgt9Uflqm7FpVZgd
9C1MoPNS5Mrm5RMWsVNoTpCAK7lTsSPgfUqB0Xsq9rsBd/LiiRFd0jqUTnU+BhR5
Ss2dRhpn/Dpvs8fQOiUfDo4WsKj0UDUqgVTLv41MMZyf+hdoCsG5y3wSG3WVVG4z
xROumOVFQ2VSx7tbkY7XdYQ8uou+zIlCF7i6JdIAAqLtGNDzj4Zb6Zw+PfiQWnxS
pyilHsLHvvbltYP1JSiYAop8XdZychkKOuP/5GzkGWufNMk6Eb/nqARrdGvxR+cf
3cgBsSpuUlCN9SmbD++mlo2dWHTpjCXQS3PSi3Me9/AP/uLQhooSrnz1hsgWjdp8
8ZoogRxIowWief+e82QDI7UdX6iR3IyGdmqymtvrPwIiY3/luBoTITw7qcq5S2jZ
bz/pwtkdHVAvz51nqxnkTBvqhFxnPRxSdsVJ6zyCsN/+MJqVoH4=
=lhm4
-----END PGP SIGNATURE-----
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds