2294604 – (CVE-2024-6387, regreSSHion) CVE-2024-6387 openssh: regreSSHion - race condition in SSH allows RCE/DoS

Bug 2294604 (CVE-2024-6387, regreSSHion) - CVE-2024-6387 openssh: regreSSHion - race condition in SSH allows RCE/DoS

Summary: CVE-2024-6387 openssh: regreSSHion - race condition in SSH allows RCE/DoS

Keywords:
Status:	NEW
Alias:	CVE-2024-6387, regreSSHion
Deadline:	2024-07-01
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2294904 2294905 2298747 2298748 2300225 2300226 2350733 2350734
Blocks:	2294605
TreeView+	depends on / blocked

Reported:	2024-06-27 15:50 UTC by Marco Benatto
Modified:	2025-04-18 05:23 UTC (History)
CC List:	73 users (show)
Fixed In Version:	openssh 8.7p1-38
Clone Of:
Environment:
Last Closed:
Embargoed:
Flags:	sdodson: needinfo? (rdey) agurenko: needinfo- agurenko: needinfo-

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	7077080	None	None	None	2024-07-02 09:39:12 UTC
Red Hat Product Errata	RHBA-2024:4337	None	None	None	2024-07-05 19:38:31 UTC
Red Hat Product Errata	RHBA-2024:4338	None	None	None	2024-07-05 19:48:59 UTC
Red Hat Product Errata	RHBA-2024:4339	None	None	None	2024-07-05 20:06:17 UTC
Red Hat Product Errata	RHBA-2024:4341	None	None	None	2024-07-08 01:01:14 UTC
Red Hat Product Errata	RHBA-2024:4397	None	None	None	2024-07-09 07:48:04 UTC
Red Hat Product Errata	RHBA-2024:4436	None	None	None	2024-07-09 15:25:33 UTC
Red Hat Product Errata	RHSA-2024:4312	None	None	None	2024-07-03 14:32:13 UTC
Red Hat Product Errata	RHSA-2024:4340	None	None	None	2024-07-05 21:32:49 UTC
Red Hat Product Errata	RHSA-2024:4389	None	None	None	2024-07-08 21:08:57 UTC
Red Hat Product Errata	RHSA-2024:4474	None	None	None	2024-07-18 17:50:30 UTC
Red Hat Product Errata	RHSA-2024:4479	None	None	None	2024-07-17 00:38:23 UTC
Red Hat Product Errata	RHSA-2024:4484	None	None	None	2024-07-17 01:35:58 UTC

Description Marco Benatto 2024-06-27 15:50:11 UTC

We discovered a vulnerability (a signal handler race condition) in OpenSSH's server (sshd): if a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously, but this signal handler calls various functions that are not async-signal-safe (for example, syslog()).

On investigation, we realized that this vulnerability is in fact a regression of CVE-2006-5051 ("Signal handler race condition in OpenSSH
before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code"), which was reported in 2006 by
Mark Dowd.

This regression was introduced in October 2020 (OpenSSH 8.5p1) by commit 752250c ("revised log infrastructure for OpenSSH"), which accidentally
removed an "#ifdef DO_LOG_SAFE_IN_SIGHAND" from sigdie(), a function that is directly called by sshd's SIGALRM handler.

Comment 9 errata-xmlrpc 2024-07-03 14:32:07 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:4312 https://access.redhat.com/errata/RHSA-2024:4312

Comment 12 errata-xmlrpc 2024-07-05 21:32:44 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:4340 https://access.redhat.com/errata/RHSA-2024:4340

Comment 14 errata-xmlrpc 2024-07-08 21:08:50 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:4389 https://access.redhat.com/errata/RHSA-2024:4389

Comment 17 errata-xmlrpc 2024-07-17 00:38:18 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:4479 https://access.redhat.com/errata/RHSA-2024:4479

Comment 18 errata-xmlrpc 2024-07-17 01:35:53 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:4484 https://access.redhat.com/errata/RHSA-2024:4484

Comment 19 errata-xmlrpc 2024-07-18 17:50:24 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:4474 https://access.redhat.com/errata/RHSA-2024:4474

Comment 21 lyly 2024-10-23 03:37:44 UTC Comment hidden (spam)

(In reply to errata-xmlrpc from comment #19)
> This issue has been addressed in the following products:
> 
>   Red Hat OpenShift Container Platform 4.15
> https://retrobowl25.com
> Via RHSA-2024:4474 https://access.redhat.com/errata/RHSA-2024:4474

Hope these errors don't happen again.

Comment 22 EllieBit 2024-12-09 09:52:34 UTC Comment hidden (spam)

This comment was flagged as spam, view the edit history to see the original text if required.

Comment 23 ellieBit 2024-12-10 01:54:51 UTC Comment hidden (spam)

This comment was flagged as spam, view the edit history to see the original text if required.

Note You need to log in before you can comment on or make changes to this bug.

agurenko
akborder
amctagga
anrussel
aoconnor
a.orsaria
arancox
aruffin
ashurbek.hajiyev
bdettelb
bfinger
bniver
borlandt
caswilli
chris.bowles
dbelyavs
dfreiber
doconnor
dreua
drow
eric.eisenhart
etmsys
evs
flucifre
fweimer
gmeno
jan.hohmann
jburrell
jmitchel
jsherril
jtanner
kaycoth
ken.english
kir-ulyanov
klaas
kshier
ljn917
marcus.haggquist
mbenjamin
mbezokon
mhackett
michael.n.nhan
mironov.ivan
mschindl
ngompa13
nico.van.roijen
oarribas
orabin
pdwyer
pgnd
prodsec-ir-bot
psegedy
qguo
randy
rdey
redhat-bugzilla
redhat
rhbugzilla
ricardo.barberis
sbroz
security-response-team
simon
sostapov
stefano.biagiotti
sthirugn
tallis.elliott
tdeboeser1
teagle
thashimo
unixi
vereddy
vkrizan
vkumar