The FreeBSD Project maintainers have released security updates to fix a high-severity vulnerability in OpenSSH, which could potentially allow attackers to remotely execute arbitrary code with elevated privileges.
This flaw, identified as CVE-2024-7589, has been assigned a CVSS score of 7.4 out of 10.0, classifying it as high severity.
“A signal handler in sshd(8) may invoke a logging function that is not async-signal-safe,” states an advisory published last week.
The signal handler is triggered when a client fails to authenticate within the default LoginGraceTime of 120 seconds. This handler operates within the context of sshd(8)’s privileged code, which is not sandboxed and runs with full root privileges.
OpenSSH is an implementation of the secure shell (SSH) protocol suite, providing encrypted and authenticated transport for various services, including remote shell access.
CVE-2024-7589 has been characterized as a continuation of the issue referred to as regreSSHion (CVE-2024-6387), which emerged early last month.
The maintainers explained, “The faulty code in this case stems from the integration of blacklistd into OpenSSH in FreeBSD.”
Due to the invocation of functions that are not async-signal-safe within the privileged sshd(8) context, a race condition exists that could be exploited by a determined attacker to achieve unauthenticated remote code execution as root.
FreeBSD users are strongly urged to update to a supported version and restart sshd to mitigate this risk.
For systems where updating sshd(8) is not feasible, the race condition can be addressed by setting LoginGraceTime to 0 in /etc/ssh/sshd_config and restarting sshd(8). While this adjustment makes the daemon susceptible to denial-of-service attacks, it protects against remote code execution.
