Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2024-6387

Published: 1 July 2024

A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.

From the Ubuntu Security Team

It was discovered that OpenSSH incorrectly handled signal management. A remote attacker could use this issue to bypass authentication and remotely access systems without proper credentials.

Notes

AuthorNote
Priority reason:
Potential remote code execution
seth-arnold
openssh-ssh1 is provided for compatibility with old
devices that cannot be upgraded to modern protocols. Thus we may
not provide security support for this package if doing so would
prevent access to equipment.
sbeattie
introduced in upstream commit 752250caa ("upstream: revised
log infrastructure for OpenSSH", 2020-10-16) (v8.5p1)
essentially a regression of CVE-2006-5051
Because of a quirk of the 24.04/noble patch to allow
systemd socket activation, it is believed that that release is
not vulnerable to the exploitation approach taken by Qualys.
https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/patches/systemd-socket-activation.patch

Mitigation

Set LoginGraceTime to 0 in /etc/ssh/sshd_config. This makes sshd
vulnerable to a denial of service (the exhaustion of all MaxStartups
connections), but it makes it safe from this vulnerability.

Priority

High

Cvss 3 Severity Score

8.1

Score breakdown

Status

Package Release Status
openssh
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(introduced in v8.5p1)
focal Not vulnerable
(introduced in v8.5p1)
jammy
Released (1:8.9p1-3ubuntu0.10)
mantic
Released (1:9.3p1-1ubuntu3.6)
noble
Released (1:9.6p1-3ubuntu13.3)
trusty Not vulnerable
(introduced in v8.5p1)
upstream Pending
(9.8p1)
xenial Not vulnerable
(introduced in v8.5p1)
openssh-ssh1
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(introduced in v8.5p1)
focal Not vulnerable
(introduced in v8.5p1)
jammy Not vulnerable
(introduced in v8.5p1)
mantic Not vulnerable
(introduced in v8.5p1)
noble Not vulnerable
(introduced in v8.5p1)
upstream Ignored
(frozen on openssh 7.5p)

Severity score breakdown

Parameter Value
Base score 8.1
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H