Bug 2295085 (CVE-2024-6409)

Summary: CVE-2024-6409 openssh: Possible remote code execution due to a race condition in signal handling affecting Red Hat Enterprise Linux 9
Product: [Other] Security Response Reporter: Marco Benatto <mbenatto>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, anerurka, bdettelb, caswilli, cchouhan, dbelyavs, dfreiber, drow, eric.eisenhart, jburrell, jmitchel, jsamir, jsherril, jtanner, kaycoth, kshier, ntait, oarribas, omaciel, omoris, orabin, pim, psegedy, redhat-bugzilla, redhat, security-response-team, stcannon, sthirugn, vkrizan, vkumar, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---Flags: oarribas: needinfo? (mbenatto)
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A race condition vulnerability was discovered in how signals are handled by OpenSSH's server (sshd). If a remote attacker does not authenticate within a set time period, then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). As a consequence of a successful attack, in the worst case scenario, an attacker may be able to perform a remote code execution (RCE) as an unprivileged user running the sshd server.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2295179    

Description Marco Benatto 2024-07-01 23:12:07 UTC 
The OpenSSH version as shipped with Red Hat Enterprise Linux 9 is vulnerable to a signal handler race condition on cleanup_exit() function which introduces the same vulnerability as CVE-2024-6387 in the unprivileged child of the SSHD server. This vulnerability only affects the versions of OpenSSH shipped with Red Hat Enterprise Linux 9.
Comment 5 errata-xmlrpc 2024-07-10 13:52:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:4457 https://access.redhat.com/errata/RHSA-2024:4457
Comment 9 errata-xmlrpc 2024-07-23 08:43:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:4716 https://access.redhat.com/errata/RHSA-2024:4716
Comment 10 errata-xmlrpc 2024-07-24 18:53:47 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:4613 https://access.redhat.com/errata/RHSA-2024:4613
Comment 12 errata-xmlrpc 2024-07-30 08:47:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:4910 https://access.redhat.com/errata/RHSA-2024:4910
Comment 13 errata-xmlrpc 2024-08-07 01:16:36 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:4955 https://access.redhat.com/errata/RHSA-2024:4955
Comment 14 errata-xmlrpc 2024-08-07 10:52:24 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:4960 https://access.redhat.com/errata/RHSA-2024:4960
Comment 15 errata-xmlrpc 2024-08-22 11:43:36 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:5444 https://access.redhat.com/errata/RHSA-2024:5444
Comment 17 Sophia 2024-10-17 08:51:20 UTC Comment hidden (spam)