From nobody Wed Aug 07 15:00:17 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WfCyn6Glcz5SHF9 for ; Wed, 07 Aug 2024 15:00:17 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WfCyn2tFTz43X1; Wed, 7 Aug 2024 15:00:17 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1723042817; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=uwYR0hTEaSWwsW8rAf96JUmNQXCsIF43ZOYWs1H5Bzg=; b=SjKkf3SqV7FFEDxgBfF/7CEBdH6eC/JMgy23y7rm9SEP9XQerm4em/jzILw+G7xG8Eyjyv J0J7eW09JIlPSKU19nC0wTYBsgnYQh5rVvFRzJT03eQFpDraHNVlFQT/YLX2tzD2h4+W/j OB52xTA5Eecu1rFV14teRnU2WOAmE0hlmYoAr1kUpB7FcXe6yAwNnEGuYCO0xLSyYPR7fU hmqR3V9LpJ9tXlG28srybcbs80FhB/N8l11b3m17hWFQTASbiX8PkX0DWI4We6hjAGb3aa G+AN1WgoQtdaRRnllx2zfRioexCcN5S2PhrqpwJhU+nB2CI9TJe/Cx0W2kq0EQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1723042817; a=rsa-sha256; cv=none; b=spAYnE+4Gc2rZ7CIotARpSfFs3wnJorkn0EssmK/nY0RiIzGbyAlKXB/noMYi0hB9DomV9 YtEttcnYNwdCa7let1L+x360oed5BEIqXyDCBw0JReInmcPDfEielo68Kdb7qCJNrNHRcV 0iZfPNIeHhD0tCFDRV02WR/cM9sX7rj3A35QIGimJvR4q8rsnO8hfmh/pjZxYUd4xqLMMt 8Q6dqdWyu9PhR9RU4N0tU2ZOe9QBs3dl7W+rTn1akDfBDEEDLFwEYUHBZCWnETfSrp3FqM FMbWQ+lEGdirzyMLngv4jXIgTKBDRPzvC1qtfNk8nOdpr1VwsFgLkZRp5vzYGQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1723042817; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=uwYR0hTEaSWwsW8rAf96JUmNQXCsIF43ZOYWs1H5Bzg=; b=scNOB6HDPM+/dy41/cyhu/Dy7lpq+aQCOwEdK+RKBov+srDdm70RjuYhZdXeuV6mNM6R38 gHC0n73U7nkhe4MMqJHA774TnRHva7Bnb4MEhuyoGzK8unPmJp/iT2wztri2zVUbEy0E5C y0u9JZ7HOXZcOLjHKMk13EBdJgIPDaOxyFXMFRdEqPk2et9tVGOkjJdepVeW3/mZlmFSut swoLPuks8yNwRkTg9LPnBpjFe2BpvB3siNLCPUOBYRcVnXMjpPuxSI13VlYRKaUdZR+3JQ OfXSfybJQuloM03+ybnSLtIJLgVStRbqJ/fnMS08vdLMthYCSETamnomWbIoxA== Received: by freefall.freebsd.org (Postfix, from userid 945) id 530DA5A54; Wed, 07 Aug 2024 15:00:17 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:08.openssh Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240807150017.530DA5A54@freefall.freebsd.org> Date: Wed, 07 Aug 2024 15:00:17 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:08.openssh Security Advisory The FreeBSD Project Topic: OpenSSH pre-authentication async signal safety issue Category: contrib Module: openssh Announced: 2024-08-07 Affects: All supported versions of FreeBSD. Corrected: 2024-08-06 19:43:54 UTC (stable/14, 14.1-STABLE) 2024-08-07 13:44:26 UTC (releng/14.1, 14.1-RELEASE-p3) 2024-08-07 13:44:40 UTC (releng/14.0, 14.0-RELEASE-p9) 2024-08-06 19:46:19 UTC (stable/13, 13.3-STABLE) 2024-08-07 13:44:58 UTC (releng/13.3, 13.3-RELEASE-p5) CVE Name: CVE-2024-7589 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access. II. Problem Description A signal handler in sshd(8) may call a logging function that is not async- signal-safe. The signal handler is invoked when a client does not authenticate within the LoginGraceTime seconds (120 by default). This signal handler executes in the context of the sshd(8)'s privileged code, which is not sandboxed and runs with full root privileges. This issue is another instance of the problem in CVE-2024-6387 addressed by FreeBSD-SA-24:04.openssh. The faulty code in this case is from the integration of blacklistd in OpenSSH in FreeBSD. III. Impact As a result of calling functions that are not async-signal-safe in the privileged sshd(8) context, a race condition exists that a determined attacker may be able to exploit to allow an unauthenticated remote code execution as root. IV. Workaround If sshd(8) cannot be updated, this signal handler race condition can be mitigated by setting LoginGraceTime to 0 in /etc/ssh/sshd_config and restarting sshd(8). This makes sshd(8) vulnerable to a denial of service (the exhaustion of all MaxStartups connections), but makes it safe from the remote code execution presented in this advisory. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and restart sshd. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-24:08/openssh.patch # fetch https://security.FreeBSD.org/patches/SA-24:08/openssh.patch.asc # gpg --verify openssh.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 73466449a9bf stable/14-n268414 releng/14.1/ 450425089212 releng/14.1-n267691 releng/14.0/ c4ade13d5498 releng/14.0-n265423 stable/13/ d5f16ef6463d stable/13-n258221 releng/13.3/ f41c11d7f209 releng/13.3-n257444 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmazhbIACgkQbljekB8A Gu8uDBAA6gj9o4DXfVMHeZCFKr3WT/g3wPbilTk2xmvzkYoCkAMFC2PZ48wbxK7U /tXvVC5Hs7OO0jkZXgCNiLsUe4kzgEPeutsyi3x5i6uWlLA+I03UZyPdwFgkBM75 w4IYeut6nMfiozJmiy7ekmxdjO1f+IGMy/yoa46gUr0524TyNjqF//p1wAePTF75 WgvZrGEildEuZk6lHp3/sm1fmv4HxG5EmNmzlzWcj/jjMnOAe5Cbf8qpcKe42V5Y vBj8Cm6lVtOaviuT4XXnmkQro3uejeUq6z+LYwM7Pcs26OIeRgz9kzLNB2EXEwR7 GNJDwzUbKvaOfvTnZao8KWqdw3fbS9Un39SJAAs32Y+5sqAcUnmRbdHa1pEFZ2rx F9moYxZ3/xuQhxzNmMqXMyAfWrlJcoX1Tc5hVSh2Rn0TWpH17BMTs3FVdtoaP2iG owhwdPLXBvePkNa/FSARVfhunrFDIBEwBQd3pN5TJRCmKdzvNqmxJsL6Z2y7Ib48 EkFaw90t9kRg1+87YUjMQlhwNVww/yLzDzdZ137bRAeJtP3i7ZdbEVqUZGQvubCE 2eDDaYuEj4RM3UElIlHRj2Z8YlXgfmgr2BcbLpqgP3cXw6McS0POG4Pw4z4Wyshn prFtFlMFqJbAqlNQkXfdVquu/V8BSay0iLaEy69t4KBVp4DFsf4= =TDgI -----END PGP SIGNATURE-----