ssh vulnerability CVE-2024-6387

Lemons, Terry Terry.Lemons@dell.com
Wed Jul 17 12:25:14 GMT 2024 

Hi

Vulnerability scanners run at my company have detected the following vulnerability in the Cygwin sshd:

<https://dellinclabs.kennasecurity.com/vulnerabilities/341847636>
CVE-2024-6387    CVSS 3: 8.1<https://dellinclabs.kennasecurity.com/vulnerabilities/341847636>

OpenSSH could allow a remote attacker to execute arbitrary code on the system, caused by a signal handler race condition. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code with root privileges on glibc-based Linux systems.

OpenSSH Vulnerability: CVE-2024-6387

  *   Published: 07- 1-24 00:00
  *   Diagnosis:

A signal handler race condition was found in OpenSSH's server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog().

  *   Solution:

Upgrade to the latest version of OpenSSH

Download and apply the upgrade from: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH

The latest version of OpenSSH is 9.6.

While you can always build OpenSSH from source<http://www.openssh.com/portable.html>, many platforms and distributions provide pre-built binary packages for OpenSSH. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.

Running SSH service
Product OpenSSH exists -- OpenBSD OpenSSH 9.8
Vulnerable version of product OpenSSH found -- OpenBSD OpenSSH 9.8
Vulnerable version of OpenSSH detected on Microsoft Windows

My Cygwin installation is using openssh 9.8p1-1 which, at this writing, is the latest available version.

What are the plans to address this vulnerability in cygwin's openssh component?

Thanks
tl



Terry Lemons
Senior Principal Software Engineer, Dell EMC
Dell Technologies | Data Management
Terry.Lemons@dell.com<mailto:Terry.Lemons@dell.com>



Internal Use - Confidential

More information about the Cygwin mailing list