CVE-2024-7589
published 2024-08-12CVE-2024-7589: A signal handler in sshd(8) may call a logging function that is not async-signal-safe. The signal handler is invoked when a client does not authenticate within…
PriorityP259high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
2.04%
78.7th percentile
A signal handler in sshd(8) may call a logging function that is not async-signal-safe. The signal handler is invoked when a client does not authenticate within the LoginGraceTime seconds (120 by default). This signal handler executes in the context of the sshd(8)'s privileged code, which is not sandboxed and runs with full root privileges.
This issue is another instance of the problem in CVE-2024-6387 addressed by FreeBSD-SA-24:04.openssh. The faulty code in this case is from the integration of blacklistd in OpenSSH in FreeBSD.
As a result of calling functions that are not async-signal-safe in the privileged sshd(8) context, a race condition exists that a determined attacker may be able to exploit to allow an unauthenticated remote code execution as root.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | openssh | — | — |
| freebsd | freebsd | < 13.0 | 13.0 |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | >= 13.1 < 13.3 | 13.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered when a client fails to authenticate within LoginGraceTime (default 120 seconds), causing sshd to invoke an unsafe signal handler. Monitor for repeated SSH connections that do not complete authentication within the grace period, which may indicate exploitation attempts. ↗
- →The vulnerable code path is specific to FreeBSD's integration of blacklistd in OpenSSH. Detection should focus on FreeBSD sshd processes; non-FreeBSD OpenSSH deployments (e.g., RHEL) are not affected. ↗
- →Exploitation results in unauthenticated remote code execution as root via a race condition in the privileged (unsandboxed) sshd context. Alert on unexpected root-level process spawning from sshd on FreeBSD systems. ↗
- →Affected FreeBSD versions: all supported versions prior to 14.1-RELEASE-p3, 14.0-RELEASE-p9, and 13.3-RELEASE-p5. Use version detection to identify unpatched FreeBSD sshd instances. ↗
- ·Setting LoginGraceTime to 0 in /etc/ssh/sshd_config mitigates the RCE race condition but introduces a denial-of-service risk by allowing exhaustion of all MaxStartups connections. ↗
- ·This vulnerability is exclusive to FreeBSD's OpenSSH distribution due to blacklistd integration. Red Hat Enterprise Linux and OpenShift products are confirmed not affected. ↗
- ·The signal handler executes in the privileged, unsandboxed sshd context with full root privileges, meaning there is no privilege boundary to limit impact upon successful exploitation. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_debian8.1LOW
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
openssh: OpenSSH pre-authentication async signal safety issue
vendor_redhat·2024-08-12·CVSS 8.1
CVE-2024-7589 [HIGH] CWE-362 openssh: OpenSSH pre-authentication async signal safety issue
openssh: OpenSSH pre-authentication async signal safety issue
A signal handler in sshd(8) may call a logging function that is not async-signal-safe. The signal handler is invoked when a client does not authenticate within the LoginGraceTime seconds (120 by default). This signal handler executes in the context of the sshd(8)'s privileged code, which is not sandboxed and runs with full root privileges.
This issue is another instance of the problem in CVE-2024-6387 addressed by FreeBSD-SA-24:04.openssh. The faulty code in this case is from the integration of blacklistd in OpenSSH in FreeBSD.
As a result of calling functions that are not async-signal-safe in the privileged sshd(8) context, a race condition exists that a determined attacker may be able to exploit to allow an unauthenticated re
BSD
FreeBSD-SA-24:08.openssh: OpenSSH pre-authentication async signal safety issue
bsd_advisories·2024-08-07·CVSS 8.1
CVE-2006-5051 [HIGH] FreeBSD-SA-24:08.openssh: OpenSSH pre-authentication async signal safety issue
FreeBSD-SA-24:08.openssh Security Advisory
The FreeBSD Project
Topic: OpenSSH pre-authentication async signal safety issue
Category: contrib
Module: openssh
Announced: 2024-08-07
Affects: All supported versions of FreeBSD.
Corrected: 2024-08-06 19:43:54 UTC (stable/14, 14.1-STABLE)
2024-08-07 13:44:26 UTC (releng/14.1, 14.1-RELEASE-p3)
2024-08-07 13:44:40 UTC (releng/14.0, 14.0-RELEASE-p9)
2024-08-06 19:46:19 UTC (stable/13, 13.3-STABLE)
2024-08-07 13:44:58 UTC (releng/13.3, 13.3-RELEASE-p5)
CVE Name: CVE-2024-7589
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
OpenSSH is an implementation of the SSH protocol suite, providing an
encrypted and authenti
Debian
CVE-2024-7589: openssh - A signal handler in sshd(8) may call a logging function that is not async-signal...
vendor_debian·2024·CVSS 8.1
CVE-2024-7589 [HIGH] CVE-2024-7589: openssh - A signal handler in sshd(8) may call a logging function that is not async-signal...
A signal handler in sshd(8) may call a logging function that is not async-signal-safe. The signal handler is invoked when a client does not authenticate within the LoginGraceTime seconds (120 by default). This signal handler executes in the context of the sshd(8)'s privileged code, which is not sandboxed and runs with full root privileges. This issue is another instance of the problem in CVE-2024-6387 addressed by FreeBSD-SA-24:04.openssh. The faulty code in this case is from the integration of blacklistd in OpenSSH in FreeBSD. As a result of calling functions that are not async-signal-safe in the privileged sshd(8) context, a race condition exists that a determined attacker may be able to exploit to allow an unauthenticated remote code execution as root.
Scope: local
bookworm: resolved
bu
GHSA
GHSA-j7jm-6q5x-ffr4: A signal handler in sshd(8) may call a logging function that is not async-signal-safe
ghsa_unreviewed·2024-08-12·CVSS 8.1
CVE-2024-7589 [HIGH] CWE-362 GHSA-j7jm-6q5x-ffr4: A signal handler in sshd(8) may call a logging function that is not async-signal-safe
A signal handler in sshd(8) may call a logging function that is not async-signal-safe. The signal handler is invoked when a client does not authenticate within the LoginGraceTime seconds (120 by default). This signal handler executes in the context of the sshd(8)'s privileged code, which is not sandboxed and runs with full root privileges.
This issue is another instance of the problem in CVE-2024-6387 addressed by FreeBSD-SA-24:04.openssh. The faulty code in this case is from the integration of blacklistd in OpenSSH in FreeBSD.
As a result of calling functions that are not async-signal-safe in the privileged sshd(8) context, a race condition exists that a determined attacker may be able to exploit to allow an unauthenticated remote code execution as root.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-08-12
Published