marcan , 2 days ago

OpenSSH CVE-2024-6387 mitigation (on Fedora):

echo 'OPTIONS=-e' | sudo tee -a /etc/sysconfig/sshd && sudo systemctl restart sshd

I have no idea why Qualys didn't mention this. The only non-async-safe function called by the vulnerable signal handler is syslog(). So just turn off syslog and log to stderr. On systemd distros, this still ends up in the journal anyway, so you lose nothing.

I confirmed that the message at the root of the issue is logged to stderr and not syslog with this option:

[pid 638194] --- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} ---<br></br>[pid 638194] getpgid(0)                 = 638194<br></br>[pid 638194] getpid()                   = 638194<br></br>[pid 638194] rt_sigaction(SIGTERM, {sa_handler=SIG_IGN, sa_mask=~[RTMIN RT_1], sa_flags=SA_RESTART}, {sa_handler=SIG_DFL, sa_mask=~[KILL STOP RTMIN RT_1], sa_flags=SA_RESTART}, 8) = 0<br></br>[pid 638194] kill(0, SIGTERM)           = 0<br></br>[pid 638194] getpid()                   = 638194<br></br>[pid 638194] write(2, "Timeout before authentication for 192.168.21.10 port 37734rn", 60) = 60<br></br>[pid 638194] exit_group(1)              = ?<br></br>[pid 638194] +++ exited with 1 +++<br></br>

Edit: The problem code still calls snprintf() which on-paper is still unsafe. However, it does this a bunch of times anyway in multiple code paths, and Qualys didn't mention anything about it. A quick look through glibc code suggests that snprintf() only does unsafe things (allocate memory) if you format floats, which obviously ssh does not.