OpenSSH Race condition resulting in potential remote code execution
openssh.com>A critical vulnerability in sshd(8) was present in Portable OpenSSH versions between 8.5p1 and 9.7p1 (inclusive) that may allow arbitrary code execution with root privileges.
FYI that's every version published after 2021-03-03
That's got to be 99% of all linux machines in the world with an ssh daemon running right?
> Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with ASLR. Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept.
It's pretty bad, but not trivial to exploit, especially since most machines are 64-bit with a larger space for ASLR.
A surprising number of systems are apparently on an old enough version to be unaffected; ex. RHEL 6-8 aren't vulnerable.
Red Hat 8 (maintenance support until 2029) has openssh-8.0 which is too old to be affected. I suspect other LTS distro may have openssh older 8.5 too. So the number should be below 99%.
> That's got to be 99% of all linux machines in the world with an ssh daemon running right?
Since 2021? Nah. 90% of my estate is ubuntu 2018 or earlier.
99%… that’s funny :P
Using this exploit, connected non root users can gain root access. Multiple user machines are more or less a thing of the past. These days most common use case of ssh is logging in to a remote server you already own with root privileges. So most of the users are unaffected by this exploit.
Are you sure? The text implies that the unsafe path is getting interrupted while parsing a DSA key, which presumably occurs before authentication?
Indeed, remote root is possible.
https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion....
> These days most common use case of ssh is logging in to a remote server you already own with root privileges
I only see this in relatively small and "young" teams. In any bigger organization I've worked in, a new user is created for each person who uses the machine.
I have a script that looks at your github org/team and generates/updates users on-demand then lets you connect.
The script is pretty straightforward, see AuthorizedKeysCommand and https://github.com/{$user}.keys
Certainly, but in my org they're trusted with sudo access (which gets logged to syslog).
I don't think it's best practice to give root privilege to a login account.
What do you give it to?
To root, and you must have a sudo password to get it. It stops both hackers and colleagues who need access to the servers, but can't be trusted with root privileges.
Sorry, duplicate of https://news.ycombinator.com/item?id=40843778
I do like the headline of this post better though...
I learned about the vulnerability by the FreeBSD advisory and searched for ssh on hacker news and didn't find the other post... just to find the other post on the front page... well.
We discovered a vulnerability (a signal handler race condition) in OpenSSH's server (sshd): if a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously, but this signal handler calls various functions that are not async-signal-safe (for example, syslog()). This race condition affects sshd in its default configuration.
So SIGALRM because of the timer firing?
Out of curiosity... any rust sshd implementations? I found libraries, but no plug&play replacement for openssh?
> Only two remote holes in the default install, in a heck of a long time!
As someone who doesn't know this kind of stuff well, will this cause OpenBSD to have to update the statement above?
EDIT:
TFA says:
> OpenBSD is not vulnerable.
OpenBSD isn't vulnerable, from https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion....:
> We have not investigated any other libc or operating system; but OpenBSD is notably not vulnerable, because its SIGALRM handler calls syslog_r(), an async-signal-safer version of syslog() that was invented by OpenBSD in 2001.
We have to use this exploit to update a critical raspberry pi that nobody seems to have keys to...
I this exploitable for all architectures? For some reason I am under the impression that its only for x86
From the qualys advisory (https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion....):
With a heap corruption as a primitive, two FILE structures malloc()ated in the heap, and 21 fixed bits in the glibc's addresses, we believe that this signal handler race condition is exploitable on amd64 (probably not in ~6-8 hours, but hopefully in less than a week). Only time will tell.
It is a race condition in a signal handler. The behaviour depends on the implementation of various standard library functions on the target system (syslog, malloc). This may very well be exploitable on other architectures (and systems). Apparently it is non-trivial to trigger. But it is possibly remote code execution with root permissions. Definetely nobody wants this in sshd.
Per https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.... they developed the exploit on Debian and Ubuntu on i386, but I don't believe there's any reason to think that it wouldn't work on other architectures. There are some things that suggest to my non-expert reading that it's harder to exploit on 64-bit architectures, and other libc implementations may be immune, but it wouldn't surprise me at all if Raspberry Pi OS (AKA Debian with some modifications) on a Pi was 32-bit and vulnerable.
They only made a POC for x86 but it doesn't mean that it doesn't work on other architectures.