On 2024-07-17 07:25, Bill Stewart via Cygwin wrote:
On Wed, Jul 17, 2024 at 6:25 AM Lemons, Terry via Cygwin wrote:
Vulnerability scanners run at my company have detected the following
vulnerability in the Cygwin sshd:
CVE-2024-6387 CVSS 3: 8.1
OpenSSH could allow a remote attacker to execute arbitrary code on the
system, caused by a signal handler race condition. By sending a specially
crafted request, an attacker could exploit this vulnerability to execute
arbitrary code with root privileges on glibc-based Linux systems.
OpenSSH Vulnerability: CVE-2024-6387
* Published: 07- 1-24 00:00
* Diagnosis:
A signal handler race condition was found in OpenSSH's server (sshd),
where a client does not authenticate within LoginGraceTime seconds (120 by
default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is
called asynchronously. However, this signal handler calls various functions
that are not async-signal-safe, for example, syslog().
* Solution:
Upgrade to the latest version of OpenSSH
Download and apply the upgrade from:
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH
The latest version of OpenSSH is 9.6.
While you can always build OpenSSH from source, many platforms and
distributions provide pre-built binary packages for OpenSSH. These
pre-built packages are usually customized and optimized for a particular
distribution, therefore we recommend that you use the packages if they are
available for your operating system.
Running SSH service
Product OpenSSH exists -- OpenBSD OpenSSH 9.8
Vulnerable version of product OpenSSH found -- OpenBSD OpenSSH 9.8
Vulnerable version of OpenSSH detected on Microsoft Windows
My Cygwin installation is using openssh 9.8p1-1 which, at this writing, is
the latest available version.
What are the plans to address this vulnerability in cygwin's openssh
component?
I'm not sure I understand the concern. When I look at CVE-2024-6387[1], it
says version 9.8 (which you are running) is not affected.
[1] https://nvd.nist.gov/vuln/detail/CVE-2024-6387
This appears to be a not so good vulnerability scan product report, as it does
not definitively point to the path and version considered vulnerable, it says
*9.6* is the latest version, which would make it 6 months out of date, and if it
is Cygwin 9.8p1 it is reporting on, regreSSHion is reported as an OpenSSH sshd
RCE with Linux glibc issue by RH CNA against RH CPEs which may have their own
patches causing issues, and 9.8p1 should fix any issues.
It is more likely it may be detecting and reporting on Windows ancient version:
$ llgo /proc/cygdrive/c/windows/system32/OpenSSH/
total 3.0M
-rwxr-x---+ 2 387K May 19 2021 moduli*
-rwxr-x---+ 2 301K May 19 2021 scp.exe*
-rwxr-x---+ 2 366K May 19 2021 sftp.exe*
-rwxr-x---+ 2 300K May 19 2021 sftp-server.exe*
-rwxr-x---+ 2 924K May 19 2021 ssh.exe*
-rwxr-x---+ 2 470K May 19 2021 ssh-add.exe*
-rwxr-x---+ 2 374K May 19 2021 ssh-agent.exe*
-rwxr-x---+ 2 985K May 19 2021 sshd.exe*
-rwxr-x---+ 2 2.3K May 19 2021 sshd_config_default*
-rwxr-x---+ 2 647K May 19 2021 ssh-keygen.exe*
-rwxr-x---+ 2 545K May 19 2021 ssh-keyscan.exe*
-rwxr-x---+ 2 148K May 19 2021 ssh-shellhost.exe*
$ /proc/cygdrive/c/windows/system32/OpenSSH/ssh -V
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
unless that has been purged from your systems.
That NVD report has a bunch of links to RH issues irrelevant to the RCE.
--
Take care. Thanks, Brian Inglis Calgary, Alberta, Canada
La perfection est atteinte Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer but when there is no more to cut
-- Antoine de Saint-Exupéry
--
Problem reports: https://cygwin.com/problems.html
FAQ: https://cygwin.com/faq/
Documentation: https://cygwin.com/docs.html
Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
