Advisory ID: ZPE-NG-2024-001
First Published: July 8, 2024
CVE ID: CVE-2024-6387 (details on NIST.gov)
CVSSv3 Score: 8.1 (High)
If a client does not authenticate within LoginGraceTime seconds, by default three minutes, then sshd's SIGALRM handler is called asynchronously, and this handler calls functions that are not “async-signal-safe”, leading to a race condition that can theoretically be exploited on Linux systems using glibc.
A signal handler race condition in OpenSSH’s sshd server may allow unauthenticated remote code execution.
As of the release date of the CVE, there are no publicly known working exploits on amd64 based on this vulnerability.
The immediate solution we recommend is to install a package that updates OpenSSH to address the vulnerability, as described in the Solutions section.
Mitigations are proposed in this section as an alternative to installing the update package, and the recommended mitigation is to configure firewall to allow only trusted hosts.
Configure firewall rules to allow SSH connections only from trusted hosts, denying everyone else.
This should be implemented on any interface that may receive untrusted incoming traffic, with special attention to any interface exposed to the internet including LTE interfaces with public IP addresses.
This should be configured for both IPv4 and IPv6.
First, identify which hosts should be trusted, and then add rules to the INPUT chain to ACCEPT them.
For example, from the web UI,
Or from the CLI:
cd settings/ipv4_firewall/chains/INPUT/
set source_net4=<host_or_network_to_allow>
set input_interface=<interface_or_any>
set protocol=tcp
set destination_port=22
set target=ACCEPT
commit
Only after the allow rules are in place, add a firewall rule to DROP anyone else.
For example, from the web UI,
Or from the CLI:
cd settings/ipv4_firewall/chains/INPUT/
set input_interface=<interface_or_any>
set protocol=tcp
set destination_port=22
set target=DROP
commit
For more information on how to configure the Firewall, please consult the corresponding section in the Nodegrid OS User Guide:
https://docs.zpesystems.com/docs/firewall-tab
Change the SSH port to a random port. This can be done via web UI under
Security :: Services :: SSH TCP Port
Or via cli with:
cd settings/services/
set ssh_tcp_port=<random_port>
commit
where <random_port> needs to be a number between 1 and 65535 and not conflict with another port in use. To check ports in use, execute netstat -nlt.
If you added firewall rules to allow only trusted hosts, they need to be updated to use the new port.
Warning: This exposes Nodegrid to a denial of service attack.
Log in as user admin and start a root shell with:
shell sudo su -
Using a text editor such as vim, set LoginGraceTime to 0 in /etc/ssh/sshd_config and restart sshd with:
/etc/init.d/sshd restart
While this eliminates the race condition required for this vulnerability to be exploited, we do not recommend this as it exposes Nodegrid to a denial of service attack, where anyone capable of starting MaxStartups SSH connections and holding authentication by not providing a password would be able to effectively impede any additional SSH connection to succeed. You may increase MaxStartups in /etc/ssh/sshd_config, but this would simply require the attacker to start more SSH connections.
If you choose to implement this mitigation, it should be reverted after a solution is applied.
An interim solution involving installation of a package to update sshd on latest supported versions is available to customers via Sharefile
Download the package that applies to your version, 5.8, 5.10, or 6.0, and follow the instructions in the README.txt file.
Please contact support@zpesystems.com if you need help to access and/or install it.