The maintainers of the FreeBSD Project have issued an urgent security update to address a high-severity vulnerability in OpenSSH. This flaw could allow attackers to remotely execute arbitrary code with elevated privileges, posing a serious risk to systems running the affected versions of FreeBSD.
Detect such critical vulnerabilities and patch them instantly with SanerNow patch management tool.
Understanding the Vulnerability
The vulnerability, identified as CVE-2024-7589, with CVSS score of 7.4 out of 10, highlighting its high severity. As per a security advisory issued last week, the issue lies within the sshd(8) component of OpenSSH, where a signal handler might call a logging function that is not async-signal-safe.
This signal handler is triggered when a client fails to authenticate within the LoginGraceTime period, which is set to 120 seconds by default. The critical concern is that this signal handler runs within the sshd(8) process, which operates with full root privileges and is not sandboxed, making it an attractive target for attackers.
The RegreSSHion Connection
CVE-2024-7589 described as a variant of a previously identified vulnerability known as regreSSHion (CVE-2024-6387), discovered earlier last month. In this case, the root of the problem stems from the integration of blacklistd within OpenSSH in FreeBSD.
The non-async-signal-safe functions called within the privileged sshd(8) context, can create a race condition. A determined attacker could potentially exploit this race condition to gain unauthorized remote code execution as root, making this vulnerability particularly dangerous.
Mitigation and Recommendations
To mitigate this vulnerability, FreeBSD users are strongly encouraged to update their systems to a supported version and restart the SSH service. This update is crucial to protecting against potential exploitation.
A temporary workaround is available for environments where updating sshd(8) is not immediately possible. The race condition can be mitigated by setting the LoginGraceTime parameter to 0 in the /etc/ssh/sshd_config file and restarting sshd(8). However, it’s important to note that this workaround introduces a risk of denial-of-service, though it effectively prevents remote code execution.
Conclusion
The swift release of this security patch by the FreeBSD Project underscores the importance of staying up-to-date with security updates, particularly for critical services like OpenSSH. Users need to act promptly to secure their systems and prevent potential exploitation of this high-severity vulnerability.