The FreeBSD Project disclosed a critical vulnerability in OpenSSH, could allow a determined attacker to execute arbitrary code remotely with root privileges, potentially compromising the entire system.
The vulnerability tracked as CVE-2024-7589, stems from an issue with a signal handler in the sshd daemon. When a client fails to authenticate within the LoginGraceTime (120 seconds by default), a signal handler is invoked. Unfortunately, this signal handler may call a logging function that is not designed to be safe for asynchronous signals, creating a potential race condition.
Since the sshd daemon runs with full root privileges and is not sandboxed, an attacker who successfully exploits this race condition could execute arbitrary code on the target system with root-level access which is concerning. If exploited, this vulnerability could allow a determined attacker to gain complete control over a vulnerable FreeBSD system, leading to potentially severe consequences, including data theft, service disruption, and unauthorized access to critical infrastructure.
This issue is closely related to a previous vulnerability (CVE-2024-6387) that was addressed earlier in the year. In this case, the faulty code is linked to the integration of blacklistd in OpenSSH on FreeBSD, which introduced the unsafe signal handler.
For administrators unable to immediately update their FreeBSD systems, a temporary workaround is available.
By setting LoginGraceTime to 0 in the /etc/ssh/sshd_config file and restarting sshd, the race condition can be mitigated. However, this workaround comes with its risks—specifically, it makes the system vulnerable to a denial-of-service attack by exhausting all MaxStartups connections.
The following FreeBSD versions have been updated to address CVE-2024-7589:
- FreeBSD OS 14.0
- FreeBSD OS 14.1
- FreeBSD OS 13.3
Once after the upgradation is complete, administrators should restart sshd to apply the changes and ensure their systems are protected against potential exploitation.
