Critical Alert: FreeBSD Issues Urgent Patch for Severe OpenSSH Vulnerability, here is a quick look

F5 BIG-IP Cookie

Critical Alert: FreeBSD Issues Urgent Patch for Severe OpenSSH Vulnerability, here is a quick look

The FreeBSD Project has released an urgent patch to address a high-severity vulnerability in OpenSSH. This flaw, identified as CVE-2024-7589, could allow attackers to execute arbitrary code remotely with elevated privileges. The vulnerability has a high CVSS score of 7.4 out of 10, indicating its severity.

18c77925c443e282ca4193691578a7968e5a2fc9d5c6b23c Critical Alert: FreeBSD Issues Urgent Patch for Severe OpenSSH Vulnerability, here is a quick look

Understanding the Vulnerability

The vulnerability stems from a signal handler in the SSH daemon (sshd) that may call logging functions that are not async-signal-safe. This signal handler is triggered when a client fails to authenticate within the default 120-second LoginGraceTime period. The issue arises because the signal handler, which manages such timeouts, inadvertently calls a logging function that is unsafe to execute in an asynchronous signal context.

Potential Impact

Critically, the vulnerable code executes in sshd’s privileged context with full root access. This creates a race condition that determined attackers could exploit to execute arbitrary code remotely. If exploited, this flaw could lead to full system compromise, allowing attackers to gain root access, install backdoors, exfiltrate data, or deploy malware.

Immediate Actions for Users

FreeBSD has released patches to address this vulnerability in the following versions:

  • 14.1-RELEASE-p3
  • 14.0-RELEASE-p9
  • 13.3-RELEASE-p5

System administrators are strongly advised to update their FreeBSD systems immediately. For those unable to update immediately, a temporary mitigation involves setting LoginGraceTime to 0 in the sshd configuration file. However, this workaround may leave systems vulnerable to denial-of-service attacks.

Broader Implications

This vulnerability highlights the ongoing importance of security audits and prompt patching, especially for critical infrastructure components like SSH servers. The discovery of this flaw underscores the need for continuous vigilance and proactive security measures to protect systems from potential exploitation.

FreeBSD users should prioritize applying the available security updates to safeguard their systems. By doing so, they can mitigate the risks associated with this high-severity vulnerability and ensure the security of their infrastructure.


You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it

Share this content:

Post Comment