CVE-2024-6409

A race condition vulnerability was discovered in how signals are handled by OpenSSH's server (sshd). If a remote attacker does not authenticate within a set time period, then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). As a consequence of a successful attack, in the worst case scenario, an attacker may be able to perform a remote code execution (RCE) as an unprivileged user running the sshd server.

CVSS v3 7.0 HIGH

7.0^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://access.redhat.com/errata/RHSA-2024:4457
https://access.redhat.com/errata/RHSA-2024:4613
https://access.redhat.com/errata/RHSA-2024:4716
https://access.redhat.com/errata/RHSA-2024:4910
https://access.redhat.com/errata/RHSA-2024:4955
https://access.redhat.com/errata/RHSA-2024:4960
https://access.redhat.com/errata/RHSA-2024:5444
https://access.redhat.com/security/cve/CVE-2024-6409
https://bugzilla.redhat.com/show_bug.cgi?id=2295085

Configurations

No configuration.

History

12 Sep 2024, 20:15

Type	Values Removed	Values Added
References	~~{'url': 'http://www.openwall.com/lists/oss-security/2024/07/08/2', 'source': 'secalert@redhat.com'}~~ ~~{'url': 'http://www.openwall.com/lists/oss-security/2024/07/09/2', 'source': 'secalert@redhat.com'}~~ ~~{'url': 'http://www.openwall.com/lists/oss-security/2024/07/09/5', 'source': 'secalert@redhat.com'}~~ ~~{'url': 'http://www.openwall.com/lists/oss-security/2024/07/10/1', 'source': 'secalert@redhat.com'}~~ ~~{'url': 'http://www.openwall.com/lists/oss-security/2024/07/10/2', 'source': 'secalert@redhat.com'}~~ ~~{'url': 'https://almalinux.org/blog/2024-07-09-cve-2024-6409/', 'source': 'secalert@redhat.com'}~~ ~~{'url': 'https://bugzilla.suse.com/show_bug.cgi?id=1227217', 'source': 'secalert@redhat.com'}~~ ~~{'url': 'https://explore.alas.aws.amazon.com/CVE-2024-6409.html', 'source': 'secalert@redhat.com'}~~ ~~{'url': 'https://github.com/openela-main/openssh/commit/c00da7741d42029e49047dd89e266d91dcfbffa0', 'source': 'secalert@redhat.com'}~~ ~~{'url': 'https://security-tracker.debian.org/tracker/CVE-2024-6409', 'source': 'secalert@redhat.com'}~~ ~~{'url': 'https://security.netapp.com/advisory/ntap-20240712-0003/', 'source': 'secalert@redhat.com'}~~ ~~{'url': 'https://sig-security.rocky.page/issues/CVE-2024-6409/', 'source': 'secalert@redhat.com'}~~ ~~{'url': 'https://ubuntu.com/security/CVE-2024-6409', 'source': 'secalert@redhat.com'}~~ ~~{'url': 'https://www.suse.com/security/cve/CVE-2024-6409.html', 'source': 'secalert@redhat.com'}~~

22 Aug 2024, 13:15

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2024:5444 -

07 Aug 2024, 17:15

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2024:4960 -

07 Aug 2024, 05:16

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2024:4955 -

02 Aug 2024, 17:16

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2024:4910 -

24 Jul 2024, 21:15

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2024:4613 -

23 Jul 2024, 15:15

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2024:4716 -

13 Jul 2024, 04:15

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2024:4457 -
Summary	(en) A signal handler race condition vulnerability was found in OpenSSH's server (sshd) in Red Hat Enterprise Linux 9, where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). This issue leaves it vulnerable to a signal handler race condition on the cleanup_exit() function, which introduces the same vulnerability as CVE-2024-6387 in the unprivileged child of the SSHD server. As a consequence of a successful attack, in the worst case scenario, the attacker may be able to perform a remote code execution (RCE) within unprivileged user running the sshd server. This vulnerability affects only the sshd server shipped with Red Hat Enterprise Linux 9, while upstream versions of sshd are not impact by this flaw.	(en) A race condition vulnerability was discovered in how signals are handled by OpenSSH's server (sshd). If a remote attacker does not authenticate within a set time period, then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). As a consequence of a successful attack, in the worst case scenario, an attacker may be able to perform a remote code execution (RCE) as an unprivileged user running the sshd server.

12 Jul 2024, 14:15

Type	Values Removed	Values Added
References		() https://security.netapp.com/advisory/ntap-20240712-0003/ -

10 Jul 2024, 20:15

Type	Values Removed	Values Added
References		() https://github.com/openela-main/openssh/commit/c00da7741d42029e49047dd89e266d91dcfbffa0 -

10 Jul 2024, 17:15

Type	Values Removed	Values Added
References		() http://www.openwall.com/lists/oss-security/2024/07/10/2 -

10 Jul 2024, 16:15

Type	Values Removed	Values Added
References		() http://www.openwall.com/lists/oss-security/2024/07/10/1 -

10 Jul 2024, 13:15

Type	Values Removed	Values Added
References		() https://almalinux.org/blog/2024-07-09-cve-2024-6409/ - () https://bugzilla.suse.com/show_bug.cgi?id=1227217 - () https://www.suse.com/security/cve/CVE-2024-6409.html -

10 Jul 2024, 01:15

Type	Values Removed	Values Added
References		() http://www.openwall.com/lists/oss-security/2024/07/09/5 -

09 Jul 2024, 15:15

Type	Values Removed	Values Added
Summary	(en) A signal handler race condition vulnerability was found in OpenSSH's server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). This issue leaves it vulnerable to a signal handler race condition on the cleanup_exit() function, which introduces the same vulnerability as CVE-2024-6387 in the unprivileged child of the SSHD server.	(en) A signal handler race condition vulnerability was found in OpenSSH's server (sshd) in Red Hat Enterprise Linux 9, where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). This issue leaves it vulnerable to a signal handler race condition on the cleanup_exit() function, which introduces the same vulnerability as CVE-2024-6387 in the unprivileged child of the SSHD server. As a consequence of a successful attack, in the worst case scenario, the attacker may be able to perform a remote code execution (RCE) within unprivileged user running the sshd server. This vulnerability affects only the sshd server shipped with Red Hat Enterprise Linux 9, while upstream versions of sshd are not impact by this flaw.

09 Jul 2024, 12:15

Type	Values Removed	Values Added
Summary		(es) Se encontró una vulnerabilidad de condición de ejecución del controlador de señales en el servidor de OpenSSH (sshd), donde un cliente no se autentica dentro de los segundos de LoginGraceTime (120 de forma predeterminada, 600 en versiones anteriores de OpenSSH), luego se llama al controlador SIGALRM de sshd de forma asincrónica. Sin embargo, este controlador de señales llama a varias funciones que no son seguras para señales asíncronas, por ejemplo, syslog(). Este problema lo deja vulnerable a una condición de ejecución del controlador de señales en la función cleanup_exit(), que introduce la misma vulnerabilidad que CVE-2024-6387 en el hijo sin privilegios del servidor SSHD.
References		() http://www.openwall.com/lists/oss-security/2024/07/09/2 -

09 Jul 2024, 06:15

Type	Values Removed	Values Added
References		() https://explore.alas.aws.amazon.com/CVE-2024-6409.html - () https://security-tracker.debian.org/tracker/CVE-2024-6409 - () https://sig-security.rocky.page/issues/CVE-2024-6409/ - () https://ubuntu.com/security/CVE-2024-6409 -

08 Jul 2024, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-07-08 18:15

Updated : 2024-09-12 20:15

NVD link : CVE-2024-6409

Mitre link : CVE-2024-6409

CVE.ORG link : CVE-2024-6409

JSON object : View

Products Affected

No product.

CWE

CWE-364

Signal Handler Race Condition

7.0 /10