Home / mailings FreeBSD Security Advisory FreeBSD-SA-24:08.openssh
Posted on 07 August 2024
FreeBSD security notificat=============================================================================FreeBSD-SA-24:08.openssh Security Advisory
The FreeBSD Project
Topic: OpenSSH pre-authentication async signal safety issue
Category: contrib
Module: openssh
Announced: 2024-08-07
Affects: All supported versions of FreeBSD.
Corrected: 2024-08-06 19:43:54 UTC (stable/14, 14.1-STABLE)
2024-08-07 13:44:26 UTC (releng/14.1, 14.1-RELEASE-p3)
2024-08-07 13:44:40 UTC (releng/14.0, 14.0-RELEASE-p9)
2024-08-06 19:46:19 UTC (stable/13, 13.3-STABLE)
2024-08-07 13:44:58 UTC (releng/13.3, 13.3-RELEASE-p5)
CVE Name: CVE-2024-7589
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
OpenSSH is an implementation of the SSH protocol suite, providing an
encrypted and authenticated transport for a variety of services, including
remote shell access.
II. Problem Description
A signal handler in sshd(8) may call a logging function that is not async-
signal-safe. The signal handler is invoked when a client does not
authenticate within the LoginGraceTime seconds (120 by default). This signal
handler executes in the context of the sshd(8)'s privileged code, which is
not sandboxed and runs with full root privileges.
This issue is another instance of the problem in CVE-2024-6387 addressed by
FreeBSD-SA-24:04.openssh. The faulty code in this case is from the
integration of blacklistd in OpenSSH in FreeBSD.
III. Impact
As a result of calling functions that are not async-signal-safe in the
privileged sshd(8) context, a race condition exists that a determined
attacker may be able to exploit to allow an unauthenticated remote code
execution as root.
IV. Workaround
If sshd(8) cannot be updated, this signal handler race condition can be
mitigated by setting LoginGraceTime to 0 in /etc/ssh/sshd_config and
restarting sshd(8). This makes sshd(8) vulnerable to a denial of service
(the exhaustion of all MaxStartups connections), but makes it safe from the
remote code execution presented in this advisory.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date, and
restart sshd.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
utility:
# freebsd-update fetch
# freebsd-update install
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-24:08/openssh.patch
# fetch https://security.FreeBSD.org/patches/SA-24:08/openssh.patch.asc
# gpg --verify openssh.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the applicable daemons, or reboot the system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/14/ 73466449a9bf stable/14-n268414
releng/14.1/ 450425089212 releng/14.1-n267691
releng/14.0/ c4ade13d5498 releng/14.0-n265423
stable/13/ d5f16ef6463d stable/13-n258221
releng/13.3/ f41c11d7f209 releng/13.3-n257444
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat <commit hash>
Or visit the following URL, replacing NNNNNN with the hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
<URL:https://www.cve.org/CVERecord?id=CVE-2006-5051>
<URL:https://www.cve.org/CVERecord?id=CVE-2024-6387>
<URL:https://www.cve.org/CVERecord?id=CVE-2024-7589>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-24:08.openssh.asc>
