ssh server vulnerable to regreSSHion?
Brian Inglis
Brian.Inglis@SystematicSW.ab.ca
Thu Jul 4 17:13:12 GMT 2024
On 2024-07-04 09:31, Tom Kent via Cygwin wrote:
> For anyone not aware, a major, remotely exploitable, vulnerability has been
> found in OpenSSH servers.
>
> It has been assigned CVE-2024-6387 [1] and titled "regreSSHion" [2] because
> it is actually a regression of a pair of early 2000s bugs:
> CVE-2006-5051 and CVE-2008-4109.
>
> The vulnerability is a race condition related to its interaction with
> glibc. Because of the way cygwin is built, it isn't clear to me if this is
> something that could possibly be impacting or not, thus I wanted to see if
> smarter heads could identify if this is a potential (or actual) issue.
>
> Either way, it might be nice to get a determination posted somewhere for
> people to find, as I expect there will be more out there wondering about
> this in the next days/weeks.
If you subscribed to Cygwin Announce mailing list
https://cygwin.com/mailman/listinfo/cygwin-announce
https://inbox.sourceware.org/cygwin-announce/
you would have seen the openssh 9.8p1-1 upgrade announcement
https://cygwin.com/pipermail/cygwin-announce/2024-July/011846.html
https://inbox.sourceware.org/cygwin-announce/20240702194232.2039121-1-corinna-cygwin@cygwin.com
which should take care of any potential issues whether vulnerable or not.
The Cygwin OpenSSH maintainer was also involved in pre-release testing:
https://marc.info/?l=openssh-unix-dev&m=171956630724852&w=2
validated the release, and caught an out-of-tree build test bug, so they are
taking care on Cygwin, as Cygwin developers and package maintainers are likely
to be dependent on OpenSSH servers and clients.
The regression issues are dependent on how certain libc functions are
implemented and used, in Cygwin's case by newlib and/or Cygwin functions.
Other newlib and other libc, like musl, hosted implementations may have similar
or independent issues.
Certainly Ubuntu and Debian (both 32 bit) have similar issues with significant
differences.
As the OpenSSH announcement included above says:
"Exploitation on 64-bit systems is believed to be possible but has not been
demonstrated at this time."
It requires weak ALSR applied to sshd and async-signal-unsafe syslog() calling
malloc() allowing it to be be vulnerable to a race condition exploitable by
SIGALARM, for the demonstrated vulnerability.
The ObscureKeystrokeTiming password timing attack is assigned as:
https://www.cve.org/CVERecord?id=CVE-2024-39894
> [1] https://www.cve.org/CVERecord?id=CVE-2024-6387
> [2]
> https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server
--
Take care. Thanks, Brian Inglis Calgary, Alberta, Canada
La perfection est atteinte Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer but when there is no more to cut
-- Antoine de Saint-Exupéry
More information about the Cygwin
mailing list