CVE-2024-6409: 
Rocky Linux vulnerability analysis and mitigation

A race condition vulnerability was discovered in how signals are handled by OpenSSH's server (sshd). The vulnerability, identified as CVE-2024-6409, affects OpenSSH versions 8.7p1 and 8.8p1 when running on Red Hat Enterprise Linux 9 systems. The issue was discovered in July 2024 and publicly disclosed on July 8, 2024 (OpenWall, NVD).

The vulnerability occurs when a client fails to authenticate within the LoginGraceTime period (120 seconds by default, 600 seconds in older OpenSSH versions). In this scenario, sshd's SIGALRM handler is called asynchronously and calls various functions that are not async-signal-safe, such as syslog(). This creates a race condition in the cleanupexit() function within the child process of the SSHD server. The issue is specifically related to the openssh-7.6p1-audit.patch found in Red Hat's package of OpenSSH, which adds code to cleanupexit() that exposes the vulnerability (OpenWall). The vulnerability has been assigned a CVSS v3.1 base score of 7.0 (HIGH) (Red Hat).

In the worst-case scenario, a successful exploitation of this vulnerability could allow an attacker to perform remote code execution (RCE) as an unprivileged user running the sshd server. The impact is somewhat limited compared to CVE-2024-6387 as the race condition and RCE potential are triggered in the privsep child process, which runs with reduced privileges compared to the parent server process (OpenWall).

The primary mitigation is to update to the fixed versions of OpenSSH packages. For Red Hat Enterprise Linux 9, the fix is available in version 8.7p1-38.el94.4 (Red Hat). As a temporary workaround, administrators can set 'LoginGraceTime 0' in /etc/ssh/sshdconfig and restart the sshd service, though this may make the SSH server more susceptible to denial of service attacks (Rocky Linux).

The vulnerability disclosure led to discussions about CVE assignment practices and accuracy. OpenSSH developer Damien Miller expressed concern about the CVE description not clearly indicating that this was specific to Red Hat versions and users of their downstream patch. This resulted in updates to the CVE description to better reflect the affected systems (OpenWall).