Bug 2294604 (CVE-2024-6387, regreSSHion)

Summary: CVE-2024-6387 openssh: regreSSHion - race condition in SSH allows RCE/DoS
Product: [Other] Security Response Reporter: Marco Benatto <mbenatto>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: agurenko, akborder, amctagga, anrussel, aoconnor, a.orsaria, arancox, aruffin, ashurbek.hajiyev, bdettelb, bfinger, bniver, borlandt, caswilli, chris.bowles, dbelyavs, dfreiber, doconnor, dreua, drow, eric.eisenhart, etmsys, evs, flucifre, fweimer, gmeno, jan.hohmann, jburrell, jmitchel, jsherril, jtanner, kaycoth, ken.english, kir-ulyanov, klaas, kshier, ljn917, marcus.haggquist, mbenjamin, mbezokon, mhackett, michael.n.nhan, mironov.ivan, mschindl, ngompa13, nico.van.roijen, oarribas, orabin, pdwyer, pgnd, prodsec-ir-bot, qguo, randy, rdey, redhat-bugzilla, redhat, rhbugzilla, ricardo.barberis, sbroz, security-response-team, simon, sostapov, stefano.biagiotti, sthirugn, tallis.elliott, tdeboeser1, teagle, thashimo, unixi, vereddy, vkrizan, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---Flags: sdodson: needinfo? (rdey)
agurenko: needinfo-
agurenko: needinfo-
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssh 8.7p1-38 Doc Type: If docs needed, set a value
Doc Text:
A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2294904, 2294905, 2298747, 2298748, 2300225, 2300226, 2350733, 2350734    
Bug Blocks: 2294605    
Deadline: 2024-07-01   

Description Marco Benatto 2024-06-27 15:50:11 UTC 
We discovered a vulnerability (a signal handler race condition) in OpenSSH's server (sshd): if a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously, but this signal handler calls various functions that are not async-signal-safe (for example, syslog()).

On investigation, we realized that this vulnerability is in fact a regression of CVE-2006-5051 ("Signal handler race condition in OpenSSH
before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code"), which was reported in 2006 by
Mark Dowd.

This regression was introduced in October 2020 (OpenSSH 8.5p1) by commit 752250c ("revised log infrastructure for OpenSSH"), which accidentally
removed an "#ifdef DO_LOG_SAFE_IN_SIGHAND" from sigdie(), a function that is directly called by sshd's SIGALRM handler.
Comment 9 errata-xmlrpc 2024-07-03 14:32:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:4312 https://access.redhat.com/errata/RHSA-2024:4312
Comment 12 errata-xmlrpc 2024-07-05 21:32:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:4340 https://access.redhat.com/errata/RHSA-2024:4340
Comment 14 errata-xmlrpc 2024-07-08 21:08:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:4389 https://access.redhat.com/errata/RHSA-2024:4389
Comment 17 errata-xmlrpc 2024-07-17 00:38:18 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:4479 https://access.redhat.com/errata/RHSA-2024:4479
Comment 18 errata-xmlrpc 2024-07-17 01:35:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:4484 https://access.redhat.com/errata/RHSA-2024:4484
Comment 19 errata-xmlrpc 2024-07-18 17:50:24 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:4474 https://access.redhat.com/errata/RHSA-2024:4474
Comment 21 lyly 2024-10-23 03:37:44 UTC Comment hidden (spam)
Comment 22 EllieBit 2024-12-09 09:52:34 UTC Comment hidden (spam)
Comment 23 ellieBit 2024-12-10 01:54:51 UTC Comment hidden (spam)