The founder of Openwall has discovered a new signal handler race condition in the core sshd
daemon used in RHEL 9.x and its various offshoots.
The new flaw, tagged as CVE-2024-6409, was found by Openwall’s Alexander Peslyak, known in the security world as Solar Designer. It affects the sshd
daemon versions 8.7p1 and 8.8p1, which were used in Fedora 36 and 37 as well as Red Hat Enterprise Linux 9 – and of course the various RHELatives as well.
The flaw was announced earlier this week on the oss-security mailing list, and the AlmaLinux team has already released a fix – beating the bigger players. As AlmaLinux’s Andrew Lukoshko said:
It’s not long since the “regreSSHion” OpenSSH bug, which The Register covered earlier this month and which is more formally known as CVE-2024-6387. That one had broader reach, affecting OpenSSH from 8.5p1 to 9.7p1. This issue is unrelated, but it’s potentially nasty, because it affects a part of OpenSSH that’s running with reduced privileges.
Peslyak’s analysis of the issue is quite damning. He says that the affected versions…
In other words, calling a function from somewhere it shouldn’t get called from created a bug… and just like the regreSSHion bug, this potentially allows remote code execution: the ability to send code to a remote machine, and then trick that machine into running your code. The Debian project’s explanation explains the significance in plainer language: although this is a high-severity bug, it’s running in a process with separated privilges. This means that the affected code is running like an ordinary user account, not an administrative account, so the potential attack is more limited.
Peslyak continues:
In other words, it looks as if some hapless coder from the IBM subsidiary introduced this bug in the company’s own version of the code. It sounds to us like Peslyak is unhappy with how the Big Purple Hat handled this:
The good news is that (at least, in theory) nobody sensible will be affected by the Fedora issue, because those versions are both end of life: version 36 in May last year, and version 37 last December. As it was a Red Hat change, then other distros should be immune, but just to soothe shattered nerves, Canonical states that Ubuntu users need not fear, as no still-supported version uses those releases. ®