CVE-2024-7589 - Signal Handler Vulnerability in sshd(8) Allowing Unauthenticated Remote Code Execution as Root
A new security vulnerability has been discovered in the sshd(8) affecting systems that use the OpenSSH implementation in FreeBSD. The vulnerability, identified as CVE-2024-7589, involves a signal handler in sshd(8) that may call a logging function that is not async-signal-safe. A determined attacker may be able to exploit this vulnerability to execute unauthorized remote code as root, without any authentication.
Background
The signal handler issue occurs when a client does not successfully authenticate within the LoginGraceTime seconds (the default period is 120 seconds). The signal handler operates in the context of the sshd(8)'s privileged code, which is not sandboxed and runs with full root privileges. This vulnerability is related to the problem initially addressed in FreeBSD-SA-24:04.openssh and tagged as CVE-2024-6387. The faulty code in this instance stems from the integration of blacklistd in OpenSSH in FreeBSD.
Exploit Details
The core issue with CVE-2024-7589 lies in the fact that it calls functions that are not async-signal-safe within the sshd(8) privileged context. Due to this, a race condition exists that a skilled attacker could potentially exploit to allow unauthenticated remote code execution as root.
In order to get a clear understanding of the issue, let's take a look at a code snippet from sshd(8)
static void
sigalrm_handler(int sig)
{
if (child_state == CS_AUTHENTICATING)
verbose("LoginGraceTime exceeded for %s, closing connection.",
remote_ip);
exit(255);
}
In the example above, the signal handler sigalrm_handler gets invoked when the client fails to authenticate within the specified LoginGraceTime. The handler then calls the verbose logging function, which is not async-signal-safe. This creates a race condition that could be exploited by an attacker to gain unauthorized access to the privileged sshd(8) context and execute remote code as the root user.
Mitigation
FreeBSD has released a patch to resolve this vulnerability. It is strongly recommended for users to apply the patch immediately and update the affected systems. More details about the patch can be found in the FreeBSD security advisory.
Conclusion
CVE-2024-7589 is a critical vulnerability affecting the signal handler in sshd(8) running on FreeBSD systems. The race condition created by the use of non-async-signal-safe functions in the privileged sshd(8) context could be exploited by an attacker to execute remote code as root without any authentication. It is vital for users to apply the available patch as soon as possible to secure their systems against potential attacks leveraging this vulnerability.
Timeline
Published on: 08/12/2024 13:38:44 UTC
Last modified on: 08/12/2024 16:35:05 UTC