Bug 2294879

Summary: CVE-2024-6387: Remote Unauthenticated Code Execution Vulnerability in OpenSSH server
Product: [Fedora] Fedora Reporter: Daniel Milnes <daniel>
Component: opensshAssignee: Dmitry Belyavskiy <dbelyavs>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: rawhideCC: arancox, crypto-team, dbelyavs, dwalsh, evs, fweimer, jh.redhat-2018, jjelen, lkundrak, mattias.ellert, pgnd, tm
Target Milestone: ---Keywords: Security, Triaged
Target Release: ---Flags: fedora-admin-xmlrpc: mirror+
Hardware: All   
OS: Linux   
URL: https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-07-02 09:36:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2230781    
Bug Blocks:    

Description Daniel Milnes 2024-07-01 09:54:10 UTC 
OpenSSH and Qualys have disclosed CVE-2024-6387, which is a race condition allowing for Remote Code Execution as Root in openssh-server.

OpenSSH estimate that 6-8 hours of bruteforcing against an ASLR-enabled 32-bit system would allow this vulnerability to be exploited. Exploits for 64-bit are currently still theoretical. I've raised this as urgent, although it could potentially be downgraded to High until the exploit is proven.

There are more details about this vulnerability on https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt 

This will be fixed by bug 2230781, which I will hopefully have a look at later today.

Reproducible: Always
Comment 1 Daniel Milnes 2024-07-01 10:35:16 UTC 
Freshly un-embargoed, this is also being tracked on bug 2294604.
Comment 2 Dmitry Belyavskiy 2024-07-02 09:36:52 UTC 
The fix has landed