CVE-2024-6387

Summary

A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.

Affected Software

VendorProductVersion RangeStatus
8.5p1 <= 9.7p1affected
Red HatRed Hat Enterprise Linux 90:8.7p1-38.el9_4.1 < *unaffected
Red HatRed Hat Enterprise Linux 90:8.7p1-38.el9_4.1 < *unaffected
Red HatRed Hat Enterprise Linux 9.0 Update Services for SAP Solutions0:8.7p1-12.el9_0.1 < *unaffected
Red HatRed Hat Enterprise Linux 9.2 Extended Update Support0:8.7p1-30.el9_2.4 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.13413.92.202407091321-0 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.14414.92.202407091253-0 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.15415.92.202407091355-0 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.16416.94.202407081958-0 < *unaffected

Weaknesses

  • CWE-364: Signal Handler Race Condition

Workarounds

The below process can protect against a Remote Code Execution attack by disabling the LoginGraceTime parameter on Red Hat Enterprise Linux 9. However, the sshd server is still vulnerable to a Denial of Service if an attacker exhausts all the connections.

  1. As root user, open the /etc/ssh/sshd_config
  2. Add or edit the parameter configuration:
LoginGraceTime 0
  1. Save and close the file
  2. Restart the sshd daemon:
systemctl restart sshd.service

Setting LoginGraceTime to 0 disables the SSHD server's ability to drop connections if authentication is not completed within the specified timeout. If this mitigation is implemented, it is highly recommended to use a tool like 'fail2ban' alongside a firewall to monitor log files and manage connections appropriately.

If any of the mitigations mentioned above is used, please note that the removal of LoginGraceTime parameter from sshd_config is not automatic when the updated package is installed.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

Additional References

References