-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 NetBSD Security Advisory 2024-002 ================================= Topic: OpenSSH CVE-2024-6387 `regreSSHion' Version: NetBSD-current: affected prior to 2024-07-02 NetBSD 10.0: affected NetBSD 9.4: affected pkgsrc: affected prior to openssh-9.8p1 Severity: Remote code execution in sshd(8) Fixed: NetBSD-current: 2024-07-01 NetBSD-10 branch: 2024-07-01 NetBSD-9 branch: 2024-07-01 pkgsrc-current: 2024-07-01 pkgsrc-2024Q2: 2024-07-02 Please note that NetBSD releases prior to 9.4 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== The sshd(8) login grace time expiry message is issued from signal handler context where it is not safe and may cause heap corruption, potentially leading to remote code execution. This vulnerability has been assigned CVE-2024-6387. See https://www.qualys.com/regresshion-cve-2024-6387/ for more information. Technical Details ================= The sshd(8) LoginGraceTime option sets the maximum time that sshd(8) will wait before a new connection attempts to authenticate, to mitigate denial of service attacks. If set to zero, there is no maximum time. The option is implemented in sshd(8) by a SIGALRM handler. The SIGALRM handler logs a message with syslog_r(3), formatted to be safe for terminals with strnvis(3). Both of these library routines may call malloc(3), which is not async-signal-safe. If the SIGALRM is delivered while another part of sshd(8) is interrupted in during a malloc(3) call (or a related function such as calloc(3) or free(3)), this can corrupt malloc's internal data structures, which can lead to remote code execution. Solutions and Workarounds ========================= Workaround: Set LoginGraceTime 0 in the sshd_config(5) file. This prevents the heap corruption vulnerability. However, it may allows denial of service attacks against sshd(8) by clients that open connections and idle forever without authenticating. Alternative workaround: Install security/openssh from pkgsrc and switch to the pkgsrc version. To apply a fixed version from a releng build, fetch a fitting base.tgz or base.tar.xz from nycdn.NetBSD.org and extract the fixed binaries: cd /var/tmp ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/REL/BUILD/ARCH/binary/sets/base.SUFX cd / tar xzpf /var/tmp/base.SUFX /usr/lib/libssh.so.46.1 with the following replacements: REL = the release version you are using BUILD = the source date of the build. 20240702* and later will fit ARCH = your system's architecture SUFX = tgz or tar.xz depending on architecture The following instructions describe how to upgrade your OpenSSH binaries by updating your source tree and rebuilding and installing a new version of libssh. * NetBSD-current: Systems running NetBSD-current dated from before 2024-07-01 should be upgraded to NetBSD-current dated 2024-07-02 or later. The following files/directories need to be updated from the netbsd-current CVS branch (aka HEAD): crypto/external/bsd/openssh/dist/log.c To update from CVS, re-build, and re-install libssh: # cd src # cvs update -d -P crypto/external/bsd/openssh/dist # cd crypto/external/bsd/openssh/lib # make USETOOLS=no cleandir # make USETOOLS=no LIBDO.crypto=/usr/lib LIBDO.crypt=/usr/lib LIBDO.z=/usr/lib dependall # make USETOOLS=no install Make sure to restart sshd, e.g. by rebooting or running: # service sshd restart * NetBSD 10.*: Systems running NetBSD 10.* sources dated from before 2024-07-01 should be upgraded from NetBSD 10.* sources dated 2024-07-02 or later. The following files/directories need to be updated from the netbsd-10 branch: crypto/external/bsd/openssh/dist/log.c To update from CVS, re-build, and re-install libssh: # cd src # cvs update -r netbsd-10 -d -P crypto/external/bsd/openssh/dist # cd crypto/external/bsd/openssh/lib # make USETOOLS=no cleandir # make USETOOLS=no LIBDO.crypto=/usr/lib LIBDO.crypt=/usr/lib LIBDO.z=/usr/lib dependall # make USETOOLS=no install Make sure to restart sshd, e.g. by rebooting or running: # service sshd restart * NetBSD 9.*: Systems running NetBSD 9.* sources dated from before 2024-07-01 should be upgraded from NetBSD 9.* sources dated 2024-07-02 or later. The following files/directories need to be updated from the netbsd-9 branch: crypto/external/bsd/openssh/dist/log.c To update from CVS, re-build, and re-install libssh: # cd src # cvs update -r netbsd-9 -d -P crypto/external/bsd/openssh/dist # cd crypto/external/bsd/openssh/lib # make USETOOLS=no cleandir # make USETOOLS=no LIBDO.crypto=/usr/lib LIBDO.crypt=/usr/lib LIBDO.z=/usr/lib dependall # make USETOOLS=no install Make sure to restart sshd, e.g. by rebooting or running: # service sshd restart Thanks To ========= Revision History ================ 2024-07-01 Initial release 2024-07-01 Fixed build instructions and netbsd-9 shlib version More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at https://cdn.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2024-002.txt.asc Information about NetBSD and NetBSD security can be found at https://www.NetBSD.org/ https://www.NetBSD.org/Security/ Copyright 2024, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2024-002.txt,v 1.4 2024/07/02 19:26:35 riastradh Exp $ -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJmhFU4AAoJEIkmHhf170n/2pYQAIvFM+8aB3EKdk0bklVwCxoR 9jkwGuJ6xf1YyjAr7Wg+9hpKM1cTVV81sMsnLH4SjTDy5EXqs+l/lfTdSLYpqiy6 LyLiVTq7Ls3nn9l7XdM3tlyAcr1BRAuwfDQh5ULlcE9fMfOsRLZ7sqqbaREUfvv1 fvJX3OGn2r1RqXIt0Eli2Brisk74i4mMnRxLx7HS9BZ5LQcvg8ZcQsAJkK/y19WP 7SQEUGw1+yyXh7wO8CMXL5SHd6XBeT3ry2wwjKVK2YB8pQkgGfIeiEZlu4+JGUdv Z7APOth9OSUQWTl3Tg+uOjoFr+mhxCCvMXR1VqGdpDfrq6ab+trAvhzHvWRFmSdA Oq8WMrrFG0q9uNkzM5E0ysp0LCQRTgsqO+WYVYLyy2M5A9RMe4uEL0DFeRtMV3RQ IWOvcfQruox+KniDtjArs5Vhns0He642GAnNeEbtlBFCVj56GZYoL9KBBdSCDJVy FsEuAgPaHn6i5PA9sEl31FfBFdItja0m/5PScBaTewvPoF5Oozbwy+u78cnMznAn k+UomNPkrpfkTIwkd54/Z7e/wImNThljeipJOQeoGSJXegruhtg9hafVnBZxjltQ 3RrFrtHRkV7kU/GbVX89rEkPYSu2trUMmw6PrCbVyw53lgklh3pnOFnKOik3eVA0 AuGaibTLH/fioEeabFIe =eGaw -----END PGP SIGNATURE-----