Arch Linux Security Advisory ASA-202407-1

Severity: High
Date : 2024-07-01
CVE-ID : CVE-2024-6387
Package : openssh
Type : authentication bypass
Remote : Yes
Link : https://security.archlinux.org/AVG-2855

Summary

The package openssh before version 9.8p1-1 is vulnerable to
authentication bypass.

Resolution

Upgrade to 9.8p1-1.

pacman -Syu “openssh>=9.8p1-1”

The problem has been fixed upstream in version 9.8p1.

Workaround

Set LoginGraceTime to 0 in /etc/ssh/sshd_config. This makes sshd
vulnerable to a denial of service (the exhaustion of all MaxStartups
connections), but it makes it safe from this vulnerability.

Description

A signal handler race condition was found in OpenSSH’s server (sshd),
where a client does not authenticate within LoginGraceTime seconds (120
by default, 600 in old OpenSSH versions), then sshd’s SIGALRM handler
is called asynchronously. However, this signal handler calls various
functions that are not async-signal-safe, for example, syslog().

Impact

A remote attacker could use this issue to bypass authentication and
remotely access systems without proper credentials. During upgrade, the
sshd service must be restarted right away using the same connection to
avoid being locked out.

References

https://www.openwall.com/lists/oss-security/2024/07/01/3
https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
https://github.com/openssh/openssh-portable/commit/81c1099d22b81ebfd20a334ce986c4f753b0db29
https://security.archlinux.org/CVE-2024-6387