A signal handler race condition was found in OpenSSH’s server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd’s SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog (). This vulnerability enables remote unauthenticated attackers to execute arbitrary code on the target server, presenting a severe risk to systems that run OpenSSH sshd servers for remote access.
Although the possibility of remote code execution, the complexity to achieve that is very high and time consuming due to the need of winning a race condition. If the attacker doesn’t achieve such a win, the most likely outcome is to have the sshd server crash, generating only the availability impact. To achieve the condition mentioned before a huge number of connections to the targeted server may be needed, which may eventually be easily noticed via network monitoring tools.
Affected OpenSSH Versions
(Versions before 4.4p1, Versions 8.5p1 to 9.8p1)
How to check the OpenSSH version being run on server to see if it’s in vulnerable versions?
#sshd –V
OpenSSH_8.5p1 Ubuntu-3ubuntu0.10, OpenSSL 3.0.2 15 Mar 2022
If the OpenSSH upgrade is not available, go to step 2.
Step 2: The issue can be mitigated by setting the LoginGraceTime parameter to 0 in the sshd configuration file.
LoginGraceTime :- It refers to the maximum amount of time a user has to successfully authenticate after initiating a connection to the SSH server. It’s an important configuration parameter for managing security and resource utilization on SSH servers. Configure the LoginGraceTime in the /etc/ssh/sshd_config file by specifying a duration in seconds. If LoginGraceTime is not explicitly set in the configuration file, the default value(around 120 seconds) might be used.
Step 2.1: Edit the file /etc/ssh/sshd_config as the root user
vi /etc/ssh/sshd_config
Step 2.2: Set the parameter: LoginGraceTime 0
LoginGraceTime 0
Step 2.3: SSHD configuration syntax check: sshd -t
sshd -t
Step 2.4: Restart the sshd daemon: systemctl restart sshd.service
systemctl restart ssh
Step 2.5: Verify the change in sshd configuration the file /etc/ssh/sshd_config as the root user
sshd -T|grep -i LoginGraceTime
logingracetime 0
Default OpenSSH version in different OS’s:
Find the OpenSSH version by running the command (sshd -V).
Ubuntu 24 |
OpenSSH_9.6p1 Ubuntu-3ubuntu13, OpenSSL 3.0.13 30 Jan 2024 |
Ubuntu 22 |
OpenSSH_8.9p1 Ubuntu-3ubuntu0.6, OpenSSL 3.0.2 15 Mar 2022 |
Ubuntu 20 |
OpenSSH 8.2p1 |
Ubuntu 18 |
OpenSSH 7.6p1 |
RockyLinux 9 / RHEL 9 / AlmaLinux 9 |
OpenSSH_8.7p1, OpenSSL 3.0.7 1 Nov 2022 |
RockyLinux 8 / RHEL 8 / AlmaLinux 8 / CentOS 8 |
OpenSSH_7.8p1, OpenSSL 1.1.1k FIPS 25 Mar 2021 |
Debian 11 |
OpenSSH 8.4 |
Debian 10 |
OpenSSH 7.9p1 |
CentOS 7 |
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 |
Note :-
The sshd server will still be vulnerable to Denial-of-Service attacks due to the possibility of MaxStartups connection exhaustion, however it’ll be safe against possible remote code execution attacks. Therefore, It is recommended to put the Ezeelogin gateway server behind a VPN or firewall to mitigate this.