ISN 2024-17: OpenSSH Vulnerability
First published 03 July 2024
CVSS 3.1: 9.0 (Critical)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Summary
A security vulnerability has been found in OpenSSH, a library for secure access to remote machines like IGEL OS. This affects the following IGEL products:
IGEL OS 12
IGEL OS 11
Details
A signal handler race condition was found in OpenSSH. This could lead to unauthenticated remote code execution. The vulnerability is being tracked as CVE-2024-6387.
Mitigations
OpenSSH server functionality can be disabled by unchecking the profile setting System > Remote Access > SSH Access > Enable. Be aware that this disables SSH access to configured devices entirely.
Alternatively, SSH may be configured to LoginGraceTime = 0 by setting network.ssh_server.login_grace_time to 0 in the Registry. Do notice though that this enables trivial Denial-of-Service (DoS) of SSH connections because only one authentication attempt is accepted at once.
Update Instructions
OS 12: Update to base system version 12.4.2 (expected July 18th)
OS 11: Update to the IGEL OS 11.10.150 (expected July 11th)
References
OpenSSH project release notes: https://www.openssh.com/txt/release-9.8
Qualys Vulnerability write-up: qualys.com/2024/07/01/cve-2024-6387/regresshion.txt