How to fix OpenSSH vulnerability CVE-2024-6387

A signal handler race condition was found in OpenSSH’s server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd’s SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog (). This vulnerability enables remote unauthenticated attackers to execute arbitrary code on the target server, presenting a severe risk to systems that run OpenSSH sshd servers for remote access.

Although the possibility of remote code execution, the complexity to achieve that is very high and time consuming due to the need of winning a race condition. If the attacker doesn’t achieve such a win, the most likely outcome is to have the sshd server crash, generating only the availability impact. To achieve the condition mentioned before a huge number of connections to the targeted server may be needed, which may eventually be easily noticed via network monitoring tools.

Affected OpenSSH Versions
(Versions before 4.4p1, Versions 8.5p1 to 9.8p1)

How to check the OpenSSH version being run on server to see if it’s in vulnerable versions?

				
					#sshd –V 
OpenSSH_8.5p1 Ubuntu-3ubuntu0.10, OpenSSL 3.0.2 15 Mar 2022

How to fix OpenSSH vulnerability CVE-2024-6387?

Step 1: Upgrade to OpenSSH version to 9.8

If the OpenSSH upgrade is not available, go to step 2.

Step 2: The issue can be mitigated by setting the LoginGraceTime parameter to 0 in the sshd configuration file.

LoginGraceTime :- It refers to the maximum amount of time a user has to successfully authenticate after initiating a connection to the SSH server. It’s an important configuration parameter for managing security and resource utilization on SSH servers. Configure the LoginGraceTime in the /etc/ssh/sshd_config file by specifying a duration in seconds. If LoginGraceTime is not explicitly set in the configuration file, the default value(around 120 seconds) might be used.

Step 2.1: Edit the file /etc/ssh/sshd_config as the root user

				
					            vi /etc/ssh/sshd_config

Step 2.2: Set the parameter: LoginGraceTime 0

				
					 LoginGraceTime 0

Step 2.3: SSHD configuration syntax check: sshd -t

				
					sshd -t

Step 2.4: Restart the sshd daemon: systemctl restart sshd.service

				
					          systemctl restart ssh

Step 2.5: Verify the change in sshd configuration the file /etc/ssh/sshd_config as the root user

				
					sshd -T|grep -i LoginGraceTime 
logingracetime 0

Default OpenSSH version in different OS’s:

Find the OpenSSH version by running the command (sshd -V).

Ubuntu 24	OpenSSH_9.6p1 Ubuntu-3ubuntu13, OpenSSL 3.0.13 30 Jan 2024
Ubuntu 22	OpenSSH_8.9p1 Ubuntu-3ubuntu0.6, OpenSSL 3.0.2 15 Mar 2022
Ubuntu 20	OpenSSH 8.2p1
Ubuntu 18	OpenSSH 7.6p1
RockyLinux 9 / RHEL 9 / AlmaLinux 9	OpenSSH_8.7p1, OpenSSL 3.0.7 1 Nov 2022
RockyLinux 8 / RHEL 8 / AlmaLinux 8 / CentOS 8	OpenSSH_7.8p1, OpenSSL 1.1.1k FIPS 25 Mar 2021
Debian 11	OpenSSH 8.4
Debian 10	OpenSSH 7.9p1
CentOS 7	OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017

Note :-

The sshd server will still be vulnerable to Denial-of-Service attacks due to the possibility of MaxStartups connection exhaustion, however it’ll be safe against possible remote code execution attacks. Therefore, It is recommended to put the Ezeelogin gateway server behind a VPN or firewall to mitigate this.

References :
1. https://www.cve.org/CVERecord?id=CVE-2024-6387
2. https://access.redhat.com/security/cve/CVE-2024-6387

3. https://nvd.nist.gov/vuln/detail/CVE-2024-6387

4. https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt