ssh server vulnerable to regreSSHion?
Tom Kent
tom@teeks99.com
Thu Jul 4 15:31:23 GMT 2024
For anyone not aware, a major, remotely exploitable, vulnerability has been
found in OpenSSH servers.
It has been assigned CVE-2024-6387 [1] and titled "regreSSHion" [2] because
it is actually a regression of a pair of early 2000s bugs:
CVE-2006-5051 and CVE-2008-4109.
The vulnerability is a race condition related to its interaction with
glibc. Because of the way cygwin is built, it isn't clear to me if this is
something that could possibly be impacting or not, thus I wanted to see if
smarter heads could identify if this is a potential (or actual) issue.
Either way, it might be nice to get a determination posted somewhere for
people to find, as I expect there will be more out there wondering about
this in the next days/weeks.
Thanks,
Tom Kent
[1] https://www.cve.org/CVERecord?id=CVE-2024-6387
[2]
https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server
More information about the Cygwin
mailing list