cbcvebase.
CVE-2024-7589
published 2024-08-12

CVE-2024-7589: A signal handler in sshd(8) may call a logging function that is not async-signal-safe. The signal handler is invoked when a client does not authenticate within…

PriorityP259high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
2.04%
78.7th percentile
A signal handler in sshd(8) may call a logging function that is not async-signal-safe. The signal handler is invoked when a client does not authenticate within the LoginGraceTime seconds (120 by default). This signal handler executes in the context of the sshd(8)'s privileged code, which is not sandboxed and runs with full root privileges. This issue is another instance of the problem in CVE-2024-6387 addressed by FreeBSD-SA-24:04.openssh. The faulty code in this case is from the integration of blacklistd in OpenSSH in FreeBSD. As a result of calling functions that are not async-signal-safe in the privileged sshd(8) context, a race condition exists that a determined attacker may be able to exploit to allow an unauthenticated remote code execution as root.

Affected

6 ranges
VendorProductVersion rangeFixed in
debianopenssh
freebsdfreebsd< 13.013.0
freebsdfreebsd
freebsdfreebsd
freebsdfreebsd
freebsdfreebsd>= 13.1 < 13.313.3

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is triggered when a client fails to authenticate within LoginGraceTime (default 120 seconds), causing sshd to invoke an unsafe signal handler. Monitor for repeated SSH connections that do not complete authentication within the grace period, which may indicate exploitation attempts.
  • The vulnerable code path is specific to FreeBSD's integration of blacklistd in OpenSSH. Detection should focus on FreeBSD sshd processes; non-FreeBSD OpenSSH deployments (e.g., RHEL) are not affected.
  • Exploitation results in unauthenticated remote code execution as root via a race condition in the privileged (unsandboxed) sshd context. Alert on unexpected root-level process spawning from sshd on FreeBSD systems.
  • Affected FreeBSD versions: all supported versions prior to 14.1-RELEASE-p3, 14.0-RELEASE-p9, and 13.3-RELEASE-p5. Use version detection to identify unpatched FreeBSD sshd instances.
  • ·Setting LoginGraceTime to 0 in /etc/ssh/sshd_config mitigates the RCE race condition but introduces a denial-of-service risk by allowing exhaustion of all MaxStartups connections.
  • ·This vulnerability is exclusive to FreeBSD's OpenSSH distribution due to blacklistd integration. Red Hat Enterprise Linux and OpenShift products are confirmed not affected.
  • ·The signal handler executes in the privileged, unsandboxed sshd context with full root privileges, meaning there is no privilege boundary to limit impact upon successful exploitation.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_debian8.1LOW
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.