The FreeBSD project has released security updates to address critical flaws in OpenSSH that attackers could potentially use to execute arbitrary code remotely with elevated privileges.
Vulnerability, tracked as CVE-2024-7589has a CVSS score of 7.4 out of a maximum of 10.0, indicating high severity.
“The signal handler in sshd(8) may call a logging function that is not asynchronous signal safe,” the advisory says released last week.
“The signal handler is called if the client is not authenticated within LoginGraceTime seconds (120 by default). This signal handler executes in the context of privileged sshd(8) code, which is not sandboxed and runs with full root privileges. .”
OpenSSH is an implementation of the Secure Shell (SSH) protocol suite that provides encrypted and authenticated transport for various services, including remote shell access.
CVE-2024-7589 was described as “yet another instance” of the problem, which is called regressed (CVE-2024-6387) that appeared early last month.
“The bad code in this case is caused by the integration of blacklistd into OpenSSH on FreeBSD,” the project maintainers said.
“As a result of calling functions that are not async signal safe in a privileged sshd(8) context, there is a race condition that a determined attacker could exploit to allow remote code execution without authenticating as root.”
FreeBSD users are strongly advised to upgrade to a supported version and restart sshd to reduce potential threats.
In cases where sshd(8) cannot be updated, the race condition problem can be resolved by setting LoginGraceTime to 0 in /etc/ssh/sshd_config and restarting sshd(8). While this change makes the daemon vulnerable to a denial of service, it protects it from remote code execution.
