CVE-2024-6387
Published: 1 July 2024
A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead to sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.
From the Ubuntu Security Team
It was discovered that OpenSSH incorrectly handled signal management. A remote attacker could use this issue to bypass authentication and remotely access systems without proper credentials.
Notes
Author | Note |
---|---|
Priority reason: Potential remote code execution |
|
seth-arnold | openssh-ssh1 is provided for compatibility with old devices that cannot be upgraded to modern protocols. Thus we may not provide security support for this package if doing so would prevent access to equipment. |
sbeattie | introduced in upstream commit 752250caa ("upstream: revised log infrastructure for OpenSSH", 2020-10-16) (v8.5p1) essentially a regression of CVE-2006-5051 Because of a quirk of the 24.04/noble patch to allow systemd socket activation, it is believed that that release is not vulnerable to the exploitation approach taken by Qualys. https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/patches/systemd-socket-activation.patch |
Mitigation
Set LoginGraceTime to 0 in /etc/ssh/sshd_config. This makes sshd vulnerable to a denial of service (the exhaustion of all MaxStartups connections), but it makes it safe from this vulnerability.
Priority
Status
Package | Release | Status |
---|---|---|
openssh Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(introduced in v8.5p1)
|
focal |
Not vulnerable
(introduced in v8.5p1)
|
|
jammy |
Released
(1:8.9p1-3ubuntu0.10)
|
|
mantic |
Released
(1:9.3p1-1ubuntu3.6)
|
|
noble |
Released
(1:9.6p1-3ubuntu13.3)
|
|
trusty |
Not vulnerable
(introduced in v8.5p1)
|
|
upstream |
Pending
(9.8p1)
|
|
xenial |
Not vulnerable
(introduced in v8.5p1)
|
|
openssh-ssh1 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(introduced in v8.5p1)
|
focal |
Not vulnerable
(introduced in v8.5p1)
|
|
jammy |
Not vulnerable
(introduced in v8.5p1)
|
|
mantic |
Not vulnerable
(introduced in v8.5p1)
|
|
noble |
Not vulnerable
(introduced in v8.5p1)
|
|
upstream |
Ignored
(frozen on openssh 7.5p)
|