NetBSD-Announce archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

NetBSD Security Advisory 2024-002: OpenSSH CVE-2024-6387 `regreSSHion'



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


		 NetBSD Security Advisory 2024-002
		 =================================

Topic:		OpenSSH CVE-2024-6387 `regreSSHion'

Version:	NetBSD-current:		affected prior to 2024-07-02
		NetBSD 10.0:		affected
		NetBSD 9.4:		affected
		pkgsrc:			affected prior to openssh-9.8p1

Severity:	Remote code execution in sshd(8)

Fixed:		NetBSD-current:		2024-07-01
		NetBSD-10 branch:	2024-07-01
		NetBSD-9 branch:	2024-07-01
		pkgsrc-current:		2024-07-01
		pkgsrc-2024Q2:		2024-07-02

Please note that NetBSD releases prior to 9.4 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

The sshd(8) login grace time expiry message is issued from signal
handler context where it is not safe and may cause heap corruption,
potentially leading to remote code execution.

This vulnerability has been assigned CVE-2024-6387.

See https://www.qualys.com/regresshion-cve-2024-6387/ for more
information.


Technical Details
=================

The sshd(8) LoginGraceTime option sets the maximum time that sshd(8)
will wait before a new connection attempts to authenticate, to mitigate
denial of service attacks.  If set to zero, there is no maximum time.

The option is implemented in sshd(8) by a SIGALRM handler.  The SIGALRM
handler logs a message with syslog_r(3), formatted to be safe for
terminals with strnvis(3).  Both of these library routines may call
malloc(3), which is not async-signal-safe.

If the SIGALRM is delivered while another part of sshd(8) is
interrupted in during a malloc(3) call (or a related function such as
calloc(3) or free(3)), this can corrupt malloc's internal data
structures, which can lead to remote code execution.


Solutions and Workarounds
=========================

Workaround: Set

	LoginGraceTime 0

in the sshd_config(5) file. This prevents the heap corruption
vulnerability.  However, it may allows denial of service attacks
against sshd(8) by clients that open connections and idle forever
without authenticating.

Alternative workaround: Install security/openssh from pkgsrc and switch
to the pkgsrc version.


To apply a fixed version from a releng build, fetch a fitting base.tgz
or base.tar.xz from nycdn.NetBSD.org and extract the fixed binaries:

cd /var/tmp
ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/REL/BUILD/ARCH/binary/sets/base.SUFX
cd /
tar xzpf /var/tmp/base.SUFX /usr/lib/libssh.so.46.1	# netbsd-current
tar xzpf /var/tmp/base.SUFX /usr/lib/libssh.so.46.1	# netbsd-10
tar xzpf /var/tmp/base.SUFX /usr/lib/libssh.so.34.0	# netbsd-9

with the following replacements:
REL   = the release version you are using
BUILD = the source date of the build. 20240702* and later will fit
ARCH  = your system's architecture
SUFX  = tgz or tar.xz depending on architecture


The following instructions describe how to upgrade your OpenSSH
binaries by updating your source tree and rebuilding and installing
a new version of libssh.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2024-07-01
	should be upgraded to NetBSD-current dated 2024-07-02 or later.

	The following files/directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		crypto/external/bsd/openssh/dist/log.c

	To update from CVS, re-build, and re-install libssh:
		# cd src
		# cvs update -d -P crypto/external/bsd/openssh/dist
		# cd crypto/external/bsd/openssh/lib
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

* NetBSD 10.*:

	Systems running NetBSD 10.* sources dated from before
	2024-07-01 should be upgraded from NetBSD 10.* sources dated
	2024-07-02 or later.

	The following files/directories need to be updated from the
	netbsd-10 branch:
		crypto/external/bsd/openssh/dist/log.c

	To update from CVS, re-build, and re-install libssh:

		# cd src
		# cvs update -r netbsd-10 -d -P crypto/external/bsd/openssh/dist
		# cd crypto/external/bsd/openssh/lib
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

* NetBSD 9.*:

	Systems running NetBSD 9.* sources dated from before
	2024-07-01 should be upgraded from NetBSD 9.* sources dated
	2024-07-02 or later.

	The following files/directories need to be updated from the
	netbsd-9 branch:
		crypto/external/bsd/openssh/dist/log.c

	To update from CVS, re-build, and re-install libssh:

		# cd src
		# cvs update -r netbsd-9 -d -P crypto/external/bsd/openssh/dist
		# cd crypto/external/bsd/openssh/lib
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


Thanks To
=========


Revision History
================

	2024-07-01	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at

	https://cdn.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2024-002.txt.asc

Information about NetBSD and NetBSD security can be found at

	https://www.NetBSD.org/
	https://www.NetBSD.org/Security/


Copyright 2024, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2024-002.txt,v 1.2 2024/07/02 12:03:08 riastradh Exp $

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJmg+z9AAoJEIkmHhf170n/mkIQAJbYqQk+ALKW+dPyqWfN7D8u
phA/bPa5CZFisErqoC1Zj7aPtamBVFaO9NgBvSWPbEMWcYCgBAiZoTVtJiKlNE2v
tDJqlCHpNyaMin4h4gUWxRBH8H3nuSTnU3keCFEdGPGnH+q1xOnp/AFSOa7iXzgR
gAUsD7qskw6ZdtSpnxqT0xgTyombSLGiqXUO8PVyc+e3P6lyFn673khu6qXcjRDz
ATUu8zG3EHusNFPti1bOt/DK4k+Vs0VGqEv/buybEjhmMRR0AE2whBIXnz/ttsZQ
qSp3kvVONSm4bovH3vX4g2VYEkPG7a39nkW5ylUcHKMRw9nLgHu96gI3yqkWPbdq
e9cfwohLdiUjhw35CXzEMomBjb8XVBE6PcYNW+afNbJCjmnaV7F6Ek/ou8j4KeoE
pHKmtKKuRw/k0jEbZmEa2CohGpcxNGJ0FLy3106tmV5REJZCVCzBpsVndfg0cUip
rYTJWcaWW6AJFFnk8mbPsTvgZlTRWTxw0QUMFFr3M0PzCdN2jZFNqXudlqfyQB7Q
HwNb1A8OwbBrHR02YJmvuCuOPmaF7szTzsSbOOsmgF8+jQTa9140WTOJJLWbM23+
dKETGSYz7tL4fDaIMsi57HMOQme4ds8QHWaZ93hH8KrlR1jAKB4GnbmuwDNXWeOb
Mqv/RGAvd+uymKBCUMWl
=rivP
-----END PGP SIGNATURE-----


Home | Main Index | Thread Index | Old Index