CVE-2024-6387

Published: 1 July 2024

A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead to sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.

From the Ubuntu Security Team

It was discovered that OpenSSH incorrectly handled signal management. A remote attacker could use this issue to bypass authentication and remotely access systems without proper credentials.

Notes

Priority reason:
Potential remote code execution

openssh-ssh1 is provided for compatibility with old
devices that cannot be upgraded to modern protocols. Thus we may
not provide security support for this package if doing so would
prevent access to equipment.

introduced in upstream commit 752250caa ("upstream: revised
log infrastructure for OpenSSH", 2020-10-16) (v8.5p1)
essentially a regression of CVE-2006-5051
Because of a quirk of the 24.04/noble patch to allow
systemd socket activation, it is believed that that release is
not vulnerable to the exploitation approach taken by Qualys.
https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/patches/systemd-socket-activation.patch

Mitigation

Set LoginGraceTime to 0 in /etc/ssh/sshd_config. This makes sshd
vulnerable to a denial of service (the exhaustion of all MaxStartups
connections), but it makes it safe from this vulnerability.

Status

References

• https://www.cve.org/CVERecord?id=CVE-2024-6387
• https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
• https://ubuntu.com/security/notices/USN-6859-1
• NVD
• Launchpad
• Debian

Bugs

• https://bugzilla.mindrot.org/show_bug.cgi?id=3690
• https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2070497