Lucene search

K
cveFreebsdCVE-2024-7589
HistoryAug 12, 2024 - 1:38 p.m.

CVE-2024-7589

2024-08-1213:38:44
CWE-362
CWE-364
freebsd
web.nvd.nist.gov
297
openssh
pre-authentication
async signal safety
race condition
unauthenticated
remote code execution
root privileges

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.3

Confidence

High

EPSS

0.004

Percentile

73.8%

A signal handler in sshd(8) may call a logging function that is not async-signal-safe. The signal handler is invoked when a client does not authenticate within the LoginGraceTime seconds (120 by default). This signal handler executes in the context of the sshd(8)'s privileged code, which is not sandboxed and runs with full root privileges.

This issue is another instance of the problem in CVE-2024-6387 addressed by FreeBSD-SA-24:04.openssh. The faulty code in this case is from the integration of blacklistd in OpenSSH in FreeBSD.

As a result of calling functions that are not async-signal-safe in the privileged sshd(8) context, a race condition exists that a determined attacker may be able to exploit to allow an unauthenticated remote code execution as root.

Affected configurations

Nvd
Node
freebsdfreebsdRange<13.0
OR
freebsdfreebsdRange13.113.3
OR
freebsdfreebsdMatch13.3p1
OR
freebsdfreebsdMatch13.3p2
OR
freebsdfreebsdMatch13.3p3
OR
freebsdfreebsdMatch13.3p4
OR
freebsdfreebsdMatch14.0beta5
OR
freebsdfreebsdMatch14.0p1
OR
freebsdfreebsdMatch14.0p2
OR
freebsdfreebsdMatch14.0p3
OR
freebsdfreebsdMatch14.0p4
OR
freebsdfreebsdMatch14.0p5
OR
freebsdfreebsdMatch14.0p6
OR
freebsdfreebsdMatch14.0p7
OR
freebsdfreebsdMatch14.0p8
OR
freebsdfreebsdMatch14.0rc3
OR
freebsdfreebsdMatch14.0rc4-p1
OR
freebsdfreebsdMatch14.1p1
OR
freebsdfreebsdMatch14.1p2
VendorProductVersionCPE
freebsdfreebsd13.3cpe:/o:freebsd:freebsd:13.3:p2::
freebsdfreebsd13.3cpe:/o:freebsd:freebsd:13.3:p4::
freebsdfreebsd14.0cpe:/o:freebsd:freebsd:14.0:rc4-p1::
freebsdfreebsd14.0cpe:/o:freebsd:freebsd:14.0:p8::
freebsdfreebsd14.0cpe:/o:freebsd:freebsd:14.0:p6::
freebsdfreebsd14.0cpe:/o:freebsd:freebsd:14.0:rc3::
freebsdfreebsd14.0cpe:/o:freebsd:freebsd:14.0:p3::
freebsdfreebsd14.0cpe:/o:freebsd:freebsd:14.0:beta5::
freebsdfreebsd14.0cpe:/o:freebsd:freebsd:14.0:p5::
freebsdfreebsd14.0cpe:/o:freebsd:freebsd:14.0:p4::
Rows per page:
1-10 of 171

CNA Affected

[
  {
    "defaultStatus": "unknown",
    "modules": [
      "openssh"
    ],
    "product": "FreeBSD",
    "vendor": "FreeBSD",
    "versions": [
      {
        "lessThan": "p3",
        "status": "affected",
        "version": "14.1-RELEASE",
        "versionType": "release"
      },
      {
        "lessThan": "p9",
        "status": "affected",
        "version": "14.0-RELEASE",
        "versionType": "release"
      },
      {
        "lessThan": "p5",
        "status": "affected",
        "version": "13.3-RELEASE",
        "versionType": "release"
      }
    ]
  }
]