The following summary from Debian’s security list:

The Qualys Threat Research Unit (TRU) discovered that OpenSSH, an implementation of the SSH protocol suite, is prone to a signal handler race condition. If a client does not authenticate within LoginGraceTime seconds (120 by default), then sshd’s SIGALRM handler is called asynchronously and calls various functions that are not async-signal-safe. A remote unauthenticated attacker can take advantage of this flaw to execute arbitrary code with root privileges. This flaw affects sshd in its default configuration.

    • qprimed@lemmy.ml
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      edit-2
      5 months ago

      indeed, but your SSH ports should not be hanging out in the wind for any old IP to hit.

      • cron
        link
        fedilink
        English
        arrow-up
        3
        ·
        5 months ago

        openssh is typically quite robust, this is a rare exception

  • onlinepersona@programming.dev
    link
    fedilink
    English
    arrow-up
    7
    arrow-down
    5
    ·
    5 months ago

    On June 6, 2024, this signal handler race condition was fixed by commit 81c1099 (“Add a facility to sshd(8) to penalise particular problematic client behaviours”), which moved the async-signal-unsafe code from sshd’s SIGALRM handler to sshd’s listener process, where it can be handled synchronously:

    https://github.com/openssh/openssh-portable/commit/81c1099d22b81ebfd20a334ce986c4f753b0db29

    Because this fix is part of a large commit (81c1099), on top of an even larger defense-in-depth commit (03e3de4, “Start the process of splitting sshd into separate binaries”), it might prove difficult to backport.

    Oh shit, now squash on merge folks can claim “defense-in-depth”.

    Always makes me think of this comic by geek and poke

    Anti Commercial-AI license