How to fix OpenSSH vulnerability CVE-2024-6387?


A signal handler race condition was found in OpenSSH’s server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd’s SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog (). This vulnerability enables remote unauthenticated attackers to execute arbitrary code on the target server, presenting a severe risk to systems that run OpenSSH sshd servers for remote access.

Although the possibility of remote code execution, the complexity to achieve that is very high and time consuming due to the need of winning a race condition. If the attacker doesn’t achieve such a win, the most likely outcome is to have the sshd server crash, generating only the availability impact. To achieve the condition mentioned before a huge number of connections to the targeted server may be needed, which may eventually be easily noticed via network monitoring tools.

Affected OpenSSH Versions
(Versions before 4.4p1, Versions 8.5p1 to 9.8p1) 

How to check the OpenSSH version being run on server to see if it’s in vulnerable versions?

					#sshd –V 
OpenSSH_8.5p1 Ubuntu-3ubuntu0.10, OpenSSL 3.0.2 15 Mar 2022 
How to fix OpenSSH vulnerability CVE-2024-6387?
Step 1: Upgrade to OpenSSH version to 9.8

             If the OpenSSH upgrade is not available, go to step 2.

Step 2: The issue can be mitigated by setting the LoginGraceTime parameter to 0 in the sshd configuration file.

      Step 2.1: Edit the file /etc/ssh/sshd_config as the root user

					            vi /etc/ssh/sshd_config 

       Step 2.2: Set the parameter:  LoginGraceTime 0

					 LoginGraceTime 0 

      Step 2.3: SSHD configuration syntax check:   sshd -t

					sshd -t 

      Step 2.4: Restart the sshd daemon:  systemctl restart sshd.service

					          systemctl restart ssh 

      Step 2.5: Verify the change in sshd configuration the file /etc/ssh/sshd_config as the root user

					sshd -T|grep -i LoginGraceTime 
logingracetime 0 
Default OpenSSH version in different OS’s:

Find the OpenSSH version by running the command (sshd -V).


Ubuntu 24 

OpenSSH_9.6p1 Ubuntu-3ubuntu13, OpenSSL 3.0.13 30 Jan 2024 

Ubuntu 22 

OpenSSH_8.9p1 Ubuntu-3ubuntu0.6, OpenSSL 3.0.2 15 Mar 2022 

Ubuntu 20 

OpenSSH 8.2p1 

Ubuntu 18 

OpenSSH 7.6p1 

RockyLinux 9 / RHEL 9 / AlmaLinux 9 

OpenSSH_8.7p1, OpenSSL 3.0.7 1 Nov 2022 

RockyLinux 8 / RHEL 8 / AlmaLinux 8 / CentOS 8 

OpenSSH_7.8p1, OpenSSL 1.1.1k FIPS 25 Mar 2021 

Debian 11 

OpenSSH 8.4 

Debian 10 

OpenSSH 7.9p1 

CentOS 7 

OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 

Note :-

The sshd server will still be vulnerable to Denial-of-Service attacks due to the possibility of MaxStartups connection exhaustion, however it’ll be safe against possible remote code execution attacks. Therefore, It is recommended to  put the Ezeelogin gateway server behind a VPN or firewall to mitigate this.