>A critical vulnerability in sshd(8) was present in Portable OpenSSH
versions between 8.5p1 and 9.7p1 (inclusive) that may allow arbitrary
code execution with root privileges.
FYI that's every version published after 2021-03-03
That's got to be 99% of all linux machines in the world with an ssh daemon running right?
> Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with ASLR. Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept.
It's pretty bad, but not trivial to exploit, especially since most machines are 64-bit with a larger space for ASLR.
Red Hat 8 (maintenance support until 2029) has openssh-8.0 which is too old to be affected. I suspect other LTS distro may have openssh older 8.5 too. So the number should be below 99%.
Using this exploit, connected non root users can gain root access. Multiple user machines are more or less a thing of the past. These days most common use case of ssh is logging in to a remote server you already own with root privileges. So most of the users are unaffected by this exploit.
> These days most common use case of ssh is logging in to a remote server you already own with root privileges
I only see this in relatively small and "young" teams. In any bigger organization I've worked in, a new user is created for each person who uses the machine.
To root, and you must have a sudo password to get it. It stops both hackers and colleagues who need access to the servers, but can't be trusted with root privileges.
I learned about the vulnerability by the FreeBSD advisory and searched for ssh on hacker news and didn't find the other post... just to find the other post on the front page... well.
We discovered a vulnerability (a signal handler race condition) in
OpenSSH's server (sshd): if a client does not authenticate within
LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions),
then sshd's SIGALRM handler is called asynchronously, but this signal
handler calls various functions that are not async-signal-safe (for
example, syslog()). This race condition affects sshd in its default
configuration.
So SIGALRM because of the timer firing?
Out of curiosity... any rust sshd implementations? I found libraries, but no plug&play replacement for openssh?
> We have not investigated any other libc or operating system; but OpenBSD is notably not vulnerable, because its SIGALRM handler calls syslog_r(), an async-signal-safer version of syslog() that was invented by OpenBSD in 2001.
With a heap corruption as a primitive, two FILE structures malloc()ated
in the heap, and 21 fixed bits in the glibc's addresses, we believe that
this signal handler race condition is exploitable on amd64 (probably not
in ~6-8 hours, but hopefully in less than a week). Only time will tell.
It is a race condition in a signal handler. The behaviour depends on the implementation of various standard library functions on the target system (syslog, malloc). This may very well be exploitable on other architectures (and systems). Apparently it is non-trivial to trigger. But it is possibly remote code execution with root permissions. Definetely nobody wants this in sshd.
Per https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.... they developed the exploit on Debian and Ubuntu on i386, but I don't believe there's any reason to think that it wouldn't work on other architectures. There are some things that suggest to my non-expert reading that it's harder to exploit on 64-bit architectures, and other libc implementations may be immune, but it wouldn't surprise me at all if Raspberry Pi OS (AKA Debian with some modifications) on a Pi was 32-bit and vulnerable.
FYI that's every version published after 2021-03-03
That's got to be 99% of all linux machines in the world with an ssh daemon running right?
https://www.openssh.com/releasenotes.html