ssh vulnerability CVE-2024-6387

Brian Inglis Brian.Inglis@SystematicSW.ab.ca
Wed Jul 17 16:46:47 GMT 2024 

On 2024-07-17 07:25, Bill Stewart via Cygwin wrote:
> On Wed, Jul 17, 2024 at 6:25 AM Lemons, Terry via Cygwin wrote:
> Vulnerability scanners run at my company have detected the following
>> vulnerability in the Cygwin sshd:
>>
>> CVE-2024-6387    CVSS 3: 8.1
>>
>> OpenSSH could allow a remote attacker to execute arbitrary code on the
>> system, caused by a signal handler race condition. By sending a specially
>> crafted request, an attacker could exploit this vulnerability to execute
>> arbitrary code with root privileges on glibc-based Linux systems.
>>
>> OpenSSH Vulnerability: CVE-2024-6387
>>
>>    *   Published: 07- 1-24 00:00
>>    *   Diagnosis:
>>
>> A signal handler race condition was found in OpenSSH's server (sshd),
>> where a client does not authenticate within LoginGraceTime seconds (120 by
>> default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is
>> called asynchronously. However, this signal handler calls various functions
>> that are not async-signal-safe, for example, syslog().
>>
>>    *   Solution:
>>
>> Upgrade to the latest version of OpenSSH
>>
>> Download and apply the upgrade from:
>> ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH
>>
>> The latest version of OpenSSH is 9.6.
>>
>> While you can always build OpenSSH from source, many platforms and
>> distributions provide pre-built binary packages for OpenSSH. These
>> pre-built packages are usually customized and optimized for a particular
>> distribution, therefore we recommend that you use the packages if they are
>> available for your operating system.
>>
>> Running SSH service
>> Product OpenSSH exists -- OpenBSD OpenSSH 9.8
>> Vulnerable version of product OpenSSH found -- OpenBSD OpenSSH 9.8
>> Vulnerable version of OpenSSH detected on Microsoft Windows
>>
>> My Cygwin installation is using openssh 9.8p1-1 which, at this writing, is
>> the latest available version.
>>
>> What are the plans to address this vulnerability in cygwin's openssh
>> component?
>>
> 
> I'm not sure I understand the concern. When I look at CVE-2024-6387[1], it
> says version 9.8 (which you are running) is not affected.
> 
> [1] https://nvd.nist.gov/vuln/detail/CVE-2024-6387

This appears to be a not so good vulnerability scan product report, as it does 
not definitively point to the path and version considered vulnerable, it says 
*9.6* is the latest version, which would make it 6 months out of date, and if it 
is Cygwin 9.8p1 it is reporting on, regreSSHion is reported as an OpenSSH sshd 
RCE with Linux glibc issue by RH CNA against RH CPEs which may have their own 
patches causing issues, and 9.8p1 should fix any issues.

It is more likely it may be detecting and reporting on Windows ancient version:

$ llgo /proc/cygdrive/c/windows/system32/OpenSSH/
total 3.0M
-rwxr-x---+ 2 387K May 19  2021 moduli*
-rwxr-x---+ 2 301K May 19  2021 scp.exe*
-rwxr-x---+ 2 366K May 19  2021 sftp.exe*
-rwxr-x---+ 2 300K May 19  2021 sftp-server.exe*
-rwxr-x---+ 2 924K May 19  2021 ssh.exe*
-rwxr-x---+ 2 470K May 19  2021 ssh-add.exe*
-rwxr-x---+ 2 374K May 19  2021 ssh-agent.exe*
-rwxr-x---+ 2 985K May 19  2021 sshd.exe*
-rwxr-x---+ 2 2.3K May 19  2021 sshd_config_default*
-rwxr-x---+ 2 647K May 19  2021 ssh-keygen.exe*
-rwxr-x---+ 2 545K May 19  2021 ssh-keyscan.exe*
-rwxr-x---+ 2 148K May 19  2021 ssh-shellhost.exe*
$ /proc/cygdrive/c/windows/system32/OpenSSH/ssh -V
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2

unless that has been purged from your systems.

That NVD report has a bunch of links to RH issues irrelevant to the RCE.

-- 
Take care. Thanks, Brian Inglis              Calgary, Alberta, Canada

La perfection est atteinte                   Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter  not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer     but when there is no more to cut
                                 -- Antoine de Saint-Exupéry

More information about the Cygwin mailing list