NetBSD Security Advisory 2024-002: OpenSSH CVE-2024-6387 `regreSSHion'
2 July, 2024 by security-officer@netbsd.org | netbsd
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 NetBSD Security Advisory 2024-002 ================================= Topic: OpenSSH CVE-2024-6387 `regreSSHion' Version: NetBSD-current: affected prior to 2024-07-02 NetBSD 10.0: affected NetBSD 9.4: affected pkgsrc: affected prior to openssh-9.8p1 Severity: Remote code execution in sshd(8) Fixed: NetBSD-current: 2024-07-01 NetBSD-10 branch: 2024-07-01 NetBSD-9 branch: 2024-07-01 pkgsrc-current: 2024-07-01 pkgsrc-2024Q2: 2024-07-02 Please note that NetBSD releases prior to 9.4 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== The sshd(8) login grace time expiry message is issued from signal handler context where it is not safe and may cause heap corruption, potentially leading to remote code execution. This vulnerability has been assigned CVE-2024-6387. See https://www.qualys.com/regresshion-cve-2024-6387/ for more information. Technical Details ================= The sshd(8) LoginGraceTime option sets the maximum time that sshd(8) will wait before a new connection attempts to authenticate, to mitigate denial of service attacks. If set to zero, there is no maximum time. The option is implemented in sshd(8) by a SIGALRM handler. The SIGALRM handler logs a message with syslog_r(3), formatted to be safe for terminals with strnvis(3). Both of these library routines may call malloc(3), which is not async-signal-safe. If the SIGALRM is delivered while another part of sshd(8) is interrupted in during a malloc(3) call (or a related function such as calloc(3) or free(3)), this can corrupt malloc's internal data structures, which can lead to remote code execution. Solutions and Workarounds ========================= Workaround: Set LoginGraceTime 0 in the sshd_config(5) file. This prevents the heap corruption vulnerability. However, it may allows denial of service attacks against sshd(8) by clients that open connections and idle forever without authenticating. Alternative workaround: Install security/openssh from pkgsrc and switch to the pkgsrc version. To apply a fixed version from a releng build, fetch a fitting base.tgz or base.tar.xz from nycdn.NetBSD.org and extract the fixed binaries: cd /var/tmp ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/REL/BUILD/ARCH/binary/sets/base.SUFX cd / tar xzpf /var/tmp/base.SUFX /usr/lib/libssh.so.46.1 # netbsd-current tar xzpf /var/tmp/base.SUFX /usr/lib/libssh.so.46.1 # netbsd-10 tar xzpf /var/tmp/base.SUFX /usr/lib/libssh.so.34.0 # netbsd-9 with the following replacements: REL = the release version you are using BUILD = the source date of the build. 20240702* and later will fit ARCH = your system's architecture SUFX = tgz or tar.xz depending on architecture The following instructions describe how to upgrade your OpenSSH binaries by updating your source tree and rebuilding and installing a new version of libssh. * NetBSD-current: Systems running NetBSD-current dated from before 2024-07-01 should be upgraded to NetBSD-current dated 2024-07-02 or later. The following files/directories need to be updated from the netbsd-current CVS branch (aka HEAD): crypto/external/bsd/openssh/dist/log.c To update from CVS, re-build, and re-install libssh: # cd src # cvs update -d -P crypto/external/bsd/openssh/dist # cd crypto/external/bsd/openssh/lib # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 10.*: Systems running NetBSD 10.* sources dated from before 2024-07-01 should be upgraded from NetBSD 10.* sources dated 2024-07-02 or later. The following files/directories need to be updated from the netbsd-10 branch: crypto/external/bsd/openssh/dist/log.c To update from CVS, re-build, and re-install libssh: # cd src # cvs update -r netbsd-10 -d -P crypto/external/bsd/openssh/dist # cd crypto/external/bsd/openssh/lib # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 9.*: Systems running NetBSD 9.* sources dated from before 2024-07-01 should be upgraded from NetBSD 9.* sources dated 2024-07-02 or later. The following files/directories need to be updated from the netbsd-9 branch: crypto/external/bsd/openssh/dist/log.c To update from CVS, re-build, and re-install libssh: # cd src # cvs update -r netbsd-9 -d -P crypto/external/bsd/openssh/dist # cd crypto/external/bsd/openssh/lib # make USETOOLS=no cleandir dependall # make USETOOLS=no install Thanks To ========= Revision History ================ 2024-07-01 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at https://cdn.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2024-002.txt.asc Information about NetBSD and NetBSD security can be found at https://www.NetBSD.org/ https://www.NetBSD.org/Security/ Copyright 2024, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2024-002.txt,v 1.2 2024/07/02 12:03:08 riastradh Exp $ -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJmg+z9AAoJEIkmHhf170n/mkIQAJbYqQk+ALKW+dPyqWfN7D8u phA/bPa5CZFisErqoC1Zj7aPtamBVFaO9NgBvSWPbEMWcYCgBAiZoTVtJiKlNE2v tDJqlCHpNyaMin4h4gUWxRBH8H3nuSTnU3keCFEdGPGnH+q1xOnp/AFSOa7iXzgR gAUsD7qskw6ZdtSpnxqT0xgTyombSLGiqXUO8PVyc+e3P6lyFn673khu6qXcjRDz ATUu8zG3EHusNFPti1bOt/DK4k+Vs0VGqEv/buybEjhmMRR0AE2whBIXnz/ttsZQ qSp3kvVONSm4bovH3vX4g2VYEkPG7a39nkW5ylUcHKMRw9nLgHu96gI3yqkWPbdq e9cfwohLdiUjhw35CXzEMomBjb8XVBE6PcYNW+afNbJCjmnaV7F6Ek/ou8j4KeoE pHKmtKKuRw/k0jEbZmEa2CohGpcxNGJ0FLy3106tmV5REJZCVCzBpsVndfg0cUip rYTJWcaWW6AJFFnk8mbPsTvgZlTRWTxw0QUMFFr3M0PzCdN2jZFNqXudlqfyQB7Q HwNb1A8OwbBrHR02YJmvuCuOPmaF7szTzsSbOOsmgF8+jQTa9140WTOJJLWbM23+ dKETGSYz7tL4fDaIMsi57HMOQme4ds8QHWaZ93hH8KrlR1jAKB4GnbmuwDNXWeOb Mqv/RGAvd+uymKBCUMWl =rivP -----END PGP SIGNATURE-----