TPS-2024-002 OpenSSH CVE-2024-6387 - Race condition in sshd may allow remote code execution

Overview

A remote code execution vulnerability has been discovered in OpenSSH sshd. At current, only glibc-based Linux systems are known to be vulnerable. Smartos, being neither Linux nor glibc-based is not currently known to be affected.

This issue is a regression of CVE-2006-5051, (“Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code”), and therefore may be possible on non-glibc and non-Linux systems, such as SmartOS.

Actions Taken by Us

Although it is not currently known whether SmartOS may be vulnerable, we are releasing a platform image that eliminates the race condition.

Actions You Need to Take

Workaround

A workaround for all users is to set the following in sshd_config, and restarting the ssh SMF service;

LoginGraceTime 0

This makes sshd(8) vulnerable to a denial of service (the exhaustion of all MaxStartups connections), but makes it safe from the potential remote code execution presented in this advisory.

For the global-zone, this must be done on every boot until the node is rebooted to a fixed platform image.

SmartOS users (Triton or stand-alone)

Compute nodes should be rebooted to platform image 20240701T205528Z or later to eliminate the potential vulnerability.

For Triton users

Execute the following commands from the headnode.

sdcadm platform install 20240701T205528Z -C release
sdcadm platform assign 20240701T205528Z --all
sdcadm platform set-default 20240701T205528Z

Schedule reboots for all compute nodes.

For SmartOS users with piadm

piadm install 20240701T205528Z
piadm activate 20240701T205528Z

Reboot the node.

For other SmartOS users

Update your boot media to use image 20240701T205528Z then reboot the node. Boot images are available from:

https://us-central.manta.mnx.io/Joyent_Dev/public/SmartOS/smartos.html

Support

If you are a MNX customer and have any further questions or concerns after reading the information provided above, please contact MNX Support.

If you are an Open Source SmartOS/Triton user, please direct any further questions to the SmartOS Community Mailing Lists and IRC.

References

• Qualys Security Advisory regreSSHion: RCE in OpenSSH’s server, on glibc-based Linux systems (CVE-2024-6387)
• OpenSSH 9.8p1 Release Notes