Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 935271 (CVE-2024-6387) - <net-misc/openssh-{9.6_p1-r5, 9.7_p1-r6, 9.8_p1}: Remote code execution
Summary: <net-misc/openssh-{9.6_p1-r5, 9.7_p1-r6, 9.8_p1}: Remote code execution
Status: IN_PROGRESS
Alias: CVE-2024-6387
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Highest blocker with 1 vote (vote)
Assignee: Gentoo Security
URL: https://www.qualys.com/2024/07/01/cve...
Whiteboard: A0 [glsa+ cleanup]
Keywords:
: 935388 (view as bug list)
Depends on: 935272 935275
Blocks:
  Show dependency tree
 
Reported: 2024-07-01 08:35 UTC by Sam James
Modified: 2024-07-09 06:49 UTC (History)
9 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-07-01 08:35:54 UTC
https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt

"""
[...]

Preliminary note: OpenSSH is one of the most secure software in the
world; this vulnerability is one slip-up in an otherwise near-flawless
implementation. Its defense-in-depth design and code are a model and an
inspiration, and we thank OpenSSH's developers for their exemplary work.

We discovered a vulnerability (a signal handler race condition) in
OpenSSH's server (sshd): if a client does not authenticate within
LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions),
then sshd's SIGALRM handler is called asynchronously, but this signal
handler calls various functions that are not async-signal-safe (for
example, syslog()). This race condition affects sshd in its default
configuration.

On investigation, we realized that this vulnerability is in fact a
regression of CVE-2006-5051 ("Signal handler race condition in OpenSSH
before 4.4 allows remote attackers to cause a denial of service (crash),
and possibly execute arbitrary code"), which was reported in 2006 by
Mark Dowd.

This regression was introduced in October 2020 (OpenSSH 8.5p1) by commit
752250c ("revised log infrastructure for OpenSSH"), which accidentally
removed an "#ifdef DO_LOG_SAFE_IN_SIGHAND" from sigdie(), a function
that is directly called by sshd's SIGALRM handler. In other words:

- OpenSSH < 4.4p1 is vulnerable to this signal handler race condition,
  if not backport-patched against CVE-2006-5051, or not patched against
  CVE-2008-4109, which was an incorrect fix for CVE-2006-5051;

- 4.4p1 <= OpenSSH < 8.5p1 is not vulnerable to this signal handler race
  condition (because the "#ifdef DO_LOG_SAFE_IN_SIGHAND" that was added
  to sigdie() by the patch for CVE-2006-5051 transformed this unsafe
  function into a safe _exit(1) call);

- 8.5p1 <= OpenSSH < 9.8p1 is vulnerable again to this signal handler
  race condition (because the "#ifdef DO_LOG_SAFE_IN_SIGHAND" was
  accidentally removed from sigdie()).

This vulnerability is exploitable remotely on glibc-based Linux systems,
where syslog() itself calls async-signal-unsafe functions (for example,
malloc() and free()): an unauthenticated remote code execution as root,
because it affects sshd's privileged code, which is not sandboxed and
runs with full privileges. We have not investigated any other libc or
operating system; but OpenBSD is notably not vulnerable, because its
SIGALRM handler calls syslog_r(), an async-signal-safer version of
syslog() that was invented by OpenBSD in 2001.
[...]
"""
Comment 1 Larry the Git Cow gentoo-dev 2024-07-01 08:41:33 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=083d7d12832b91073f5cac94df2ba067495857a7

commit 083d7d12832b91073f5cac94df2ba067495857a7
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-07-01 08:40:45 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-07-01 08:40:45 +0000

    net-misc/openssh: add 9.8_p1
    
    This fixes CVE-2024-6387 but I'm going to backport a fix to 9.7 shortly
    as 9.8_p1 isn't a good stable candidate given it's only just been released
    and has many other changes.
    
    Bug: https://bugs.gentoo.org/935271
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/openssh/Manifest              |   2 +
 net-misc/openssh/openssh-9.8_p1.ebuild | 398 +++++++++++++++++++++++++++++++++
 2 files changed, 400 insertions(+)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-07-01 08:46:06 UTC
Upstream made patch suggestions at https://marc.info/?l=oss-security&m=171982317624594&w=2.
Comment 3 Larry the Git Cow gentoo-dev 2024-07-01 08:55:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1633ef45475afb9eea04e9cf27021c9d994af338

commit 1633ef45475afb9eea04e9cf27021c9d994af338
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-07-01 08:51:48 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-07-01 08:54:59 +0000

    net-misc/openssh: backport CVE-2024-6387 fix to 9.6_p1-r5, 9.7_p1-r6
    
    This applies upstream's backport suggestions from https://marc.info/?l=oss-security&m=171982317624594&w=2
    for both CVE-2024-6387 and a "minor logic error in ObscureKeystrokeTiming".
    
    Bug: https://bugs.gentoo.org/935271
    Signed-off-by: Sam James <sam@gentoo.org>

 .../files/openssh-9.6_p1-CVE-2024-6387.patch       |  19 +
 .../openssh/files/openssh-9.6_p1-chaff-logic.patch |  16 +
 net-misc/openssh/openssh-9.6_p1-r5.ebuild          | 392 ++++++++++++++++++++
 net-misc/openssh/openssh-9.7_p1-r6.ebuild          | 400 +++++++++++++++++++++
 4 files changed, 827 insertions(+)
Comment 4 Larry the Git Cow gentoo-dev 2024-07-01 10:22:10 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b9aab3ef968b7a6d58fa215223d116b98af7d399

commit b9aab3ef968b7a6d58fa215223d116b98af7d399
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-07-01 09:59:36 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-07-01 10:22:02 +0000

    net-misc/openssh: restart sshd on major version upgrades
    
    openssh-9.8_p1 again breaks cross-version compatibility, meaning that
    a running sshd with 9.7_p1 will no longer be able to accept connections
    after upgrading to 9.8_p1.
    
    We tried doing a news item on this in the past (bug #709748) and it ended
    up being insufficient and poorly coordinated (as you really need it again
    when stabling).
    
    Nobody is going to thank us for leaving their sshd broken, so pick
    the lesser evil and attempt to restart sshd on major version upgrades.
    
    This is especially important as people may be racing to upgrade to 9.8_p1
    for the CVE-2024-6387 fix (although we have backported a fix to older versions).
    
    I also note there's precedent here with e.g. the systemd rebuild where
    it's done to avoid immediate breakage of user sessions.
    
    Thanks to kerframil who proposed a snippet for this some time ago whose
    work I've lifted here.
    
    Bug: https://bugs.gentoo.org/709748
    Bug: https://bugs.gentoo.org/935271
    Signed-off-by: Sam James <sam@gentoo.org>

 ...nssh-9.8_p1.ebuild => openssh-9.8_p1-r1.ebuild} | 33 ++++++++++++++++++++++
 1 file changed, 33 insertions(+)
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-07-01 11:03:16 UTC
Filed a stablereq for 9.7_p1-r6, see https://bugs.gentoo.org/935275#c0. It's not strictly a dependency for this bug as explained there but it maybe simplifies the GLSA and such and allows cleanup...
Comment 6 Larry the Git Cow gentoo-dev 2024-07-01 11:12:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=da4d673c8709506f7aaaa5316f7fc3ccf2178b17

commit da4d673c8709506f7aaaa5316f7fc3ccf2178b17
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-07-01 11:11:56 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-07-01 11:11:56 +0000

    net-misc/openssh: drop 9.6_p1-r4, 9.7_p1-r2, 9.7_p1-r3, 9.7_p1-r5
    
    Bug: https://bugs.gentoo.org/935271
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/openssh/openssh-9.6_p1-r4.ebuild | 390 ----------------------------
 net-misc/openssh/openssh-9.7_p1-r2.ebuild | 403 -----------------------------
 net-misc/openssh/openssh-9.7_p1-r3.ebuild | 404 ------------------------------
 net-misc/openssh/openssh-9.7_p1-r5.ebuild | 398 -----------------------------
 4 files changed, 1595 deletions(-)
Comment 7 Larry the Git Cow gentoo-dev 2024-07-01 18:06:20 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=812073712b87f878fc20506cca474c045b6a8b7e

commit 812073712b87f878fc20506cca474c045b6a8b7e
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-07-01 18:03:48 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-07-01 18:06:02 +0000

    [ GLSA 202407-09 ] OpenSSH: Remote Code Execution
    
    Bug: https://bugs.gentoo.org/935271
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202407-09.xml | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 67 insertions(+)
Comment 8 Larry the Git Cow gentoo-dev 2024-07-02 17:07:21 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=615ab9d0a7ea42e3fa992a2f728c45019f8706c2

commit 615ab9d0a7ea42e3fa992a2f728c45019f8706c2
Author:     Patrick McLean <chutzpah@gentoo.org>
AuthorDate: 2024-07-02 17:02:29 +0000
Commit:     Patrick McLean <chutzpah@gentoo.org>
CommitDate: 2024-07-02 17:07:07 +0000

    net-misc/openssh-contrib: Revbump, add fix for CVE-2024-6387
    
    Bug: https://bugs.gentoo.org/935271
    Signed-off-by: Patrick McLean <chutzpah@gentoo.org>

 .../files/openssh-9.6_p1-CVE-2024-6387.patch       | 19 ++++++++++++++
 .../files/openssh-9.6_p1-chaff-logic.patch         | 16 ++++++++++++
 .../files/openssh-9.6_p1-fix-xmss-c99.patch        | 20 +++++++++++++++
 .../files/openssh-9.7_p1-X509-CVE-2024-6387.patch  | 29 ++++++++++++++++++++++
 ...-r3.ebuild => openssh-contrib-9.7_p1-r4.ebuild} | 11 +++++++-
 5 files changed, 94 insertions(+), 1 deletion(-)
Comment 9 Ionen Wolkens gentoo-dev 2024-07-03 06:42:57 UTC
*** Bug 935388 has been marked as a duplicate of this bug. ***