| www.delorie.com/archives/browse.cgi | search |
| DKIM-Filter: | OpenDKIM Filter v2.11.0 delorie.com 46HGlrlS472865 |
| Authentication-Results: | delorie.com; |
| dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=gn5zR71z | |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DKIM-Filter: | OpenDKIM Filter v2.11.0 sourceware.org 4DFB5386076C |
| DKIM-Signature: | v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; |
| s=default; t=1721234871; | |
| bh=k/LIHHAaXbcYz39BnVFCtZgypiA1zWawxgtb6eQ/BTA=; | |
| h=Date:Subject:To:References:In-Reply-To:List-Id:List-Unsubscribe: | |
| List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: | |
| From; | |
| b=gn5zR71zbYpJvR/g4ww+GyRjQ/QtOq9LHyvPttn6ZAEo946Py0gJWO4y8zewNO6qQ | |
| JlPTwZkAvKoiE1H6vN8NIJdoswg5Wz8lmc/kLDGaiw+Ob9wjO5rR2Wp3ppsOa4mpS1 | |
| WKVVEF4Iw5yeyEWncwezoAwcaPfj/g0ah6GhmI2o= | |
| X-Original-To: | cygwin AT cygwin DOT com |
| Delivered-To: | cygwin AT cygwin DOT com |
| DMARC-Filter: | OpenDMARC Filter v1.4.2 sourceware.org E1C923858288 |
| ARC-Filter: | OpenARC Filter v1.0.0 sourceware.org E1C923858288 |
| ARC-Seal: | i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1721234813; cv=none; |
| b=tAe0Z0Q1bnAhmCFpeDQgAAmNcw05u2KWWZzt84y1wnPMxRQeS0zEOceEY0jiWpxCHxrfxAzVmK/zJBncY31wMsc0bLw0bkbAZBT45zqjBw8ysj0TM2rgekcCCfmDGruaEXUnHcjFQM8e8EMTw97ER3UyusF6nsctkknBnlOKRoU= | |
| ARC-Message-Signature: | i=1; a=rsa-sha256; d=sourceware.org; s=key; |
| t=1721234813; c=relaxed/simple; | |
| bh=Vl1SuI4QQo72MNoNmUAEkXYgso/KMKpbzeNC7o3UXAw=; | |
| h=Message-ID:Date:MIME-Version:Subject:To:From; | |
| b=EzcEjSCbTFXFUmysdzuQxOwW4JpdOMjurut/i5rbZ8jx1y+uS1av0VIZpfCymLT5KHBDiR4+X/MqT55+zIYUzt5g2kByczXO6LcX6CSO+Y+U4trxeHnPBEUt/YgA9FRwplrIDX2hxv6ggukAfz5xBFSr2L4o4iBU2dHHjgUq8uk= | |
| ARC-Authentication-Results: | i=1; server2.sourceware.org |
| Message-ID: | <188ed7a8-b8ad-4dc1-913c-708312b2771f@SystematicSW.ab.ca> |
| Date: | Wed, 17 Jul 2024 10:46:47 -0600 |
| MIME-Version: | 1.0 |
| User-Agent: | Mozilla Thunderbird |
| Subject: | Re: ssh vulnerability CVE-2024-6387 |
| To: | cygwin AT cygwin DOT com |
| References: | <LV2PR19MB57671F587EAAF01EAB42666DE4A32 AT LV2PR19MB5767 DOT namprd19 DOT prod DOT outlook DOT com> |
| <CANV9t=RcpX8KCc-7krkLCGtxijXgmOFim3pExvz2tBnzTojLWw AT mail DOT gmail DOT com> | |
| Organization: | Systematic Software |
| In-Reply-To: | <CANV9t=RcpX8KCc-7krkLCGtxijXgmOFim3pExvz2tBnzTojLWw@mail.gmail.com> |
| X-Rspamd-Queue-Id: | 0215C32 |
| X-Spam-Status: | No, score=-1.7 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS, |
| KAM_NUMSUBJECT, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H5, RCVD_IN_MSPIKE_WL, | |
| SPF_HELO_PASS, SPF_PASS, TXREP, | |
| UNPARSEABLE_RELAY autolearn=no autolearn_force=no version=3.4.6 | |
| X-Stat-Signature: | zhaawd63axb4no3k4t3h78rnyo7qpc5i |
| X-Rspamd-Server: | rspamout08 |
| X-Session-Marker: | 427269616E2E496E676C69734053797374656D6174696353572E61622E6361 |
| X-Session-ID: | U2FsdGVkX1/xlLA1rWwDZF5b/QiR9z4f9wYWY5huHtM= |
| X-HE-Tag: | 1721234808-60436 |
| X-HE-Meta: | U2FsdGVkX1+F04rmOYeuHquqyVmOiwBjwxlwlTVv17B9L/4pkTagsg9AoP2SN4vpSLlENSByfqXzGp/l/QNwVXrkMUuoO+GYROUorW5EbtuXkeeUTg8QmoNxvFhnaRxb7PlfOSW1qKboxvDdIPfSL0apjjGcuKHvjGzagsElpzPWDBYwFWsKZ8Kq+4hlnYihb/2D45/crSvL7xepiahZJxQC0Tc0Gy7znMDe7s4QSJ7FsY/D8WFLR1vWEpdRRkRIJMFIwIGwr3fQYoa+9ex0U5PDVeQN5YwX+MNqwzayKs8Tdx6B/OuGRAJ5QNWItEh72sObjwsZSp0Om66yWrwbtNQLtBBgpY0B4+ykt0ZaT/6dz5L5JHwe7VGfCP6jih868Nt3iNZBploSeifPcFGiprvFit8GNZCTQ/CiqjIpU+aQamaw/dCxUrEc3lJ6autIpHBxnDHPFsjzV1EsJKLsOg== |
| X-Spam-Checker-Version: | SpamAssassin 3.4.6 (2021-04-09) on |
| server2.sourceware.org | |
| X-BeenThere: | cygwin AT cygwin DOT com |
| X-Mailman-Version: | 2.1.30 |
| List-Id: | General Cygwin discussions and problem reports <cygwin.cygwin.com> |
| List-Unsubscribe: | <https://cygwin.com/mailman/options/cygwin>, |
| <mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe> | |
| List-Archive: | <https://cygwin.com/pipermail/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-request AT cygwin DOT com?subject=help> |
| List-Subscribe: | <https://cygwin.com/mailman/listinfo/cygwin>, |
| <mailto:cygwin-request AT cygwin DOT com?subject=subscribe> | |
| From: | Brian Inglis via Cygwin <cygwin AT cygwin DOT com> |
| Reply-To: | cygwin AT cygwin DOT com |
| Cc: | Brian Inglis <Brian DOT Inglis AT SystematicSW DOT ab DOT ca> |
| Errors-To: | cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com |
| Sender: | "Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com> |
| X-MIME-Autoconverted: | from base64 to 8bit by delorie.com id 46HGlrlS472865 |
On 2024-07-17 07:25, Bill Stewart via Cygwin wrote:
> On Wed, Jul 17, 2024 at 6:25 AM Lemons, Terry via Cygwin wrote:
> Vulnerability scanners run at my company have detected the following
>> vulnerability in the Cygwin sshd:
>>
>> CVE-2024-6387 CVSS 3: 8.1
>>
>> OpenSSH could allow a remote attacker to execute arbitrary code on the
>> system, caused by a signal handler race condition. By sending a specially
>> crafted request, an attacker could exploit this vulnerability to execute
>> arbitrary code with root privileges on glibc-based Linux systems.
>>
>> OpenSSH Vulnerability: CVE-2024-6387
>>
>> * Published: 07- 1-24 00:00
>> * Diagnosis:
>>
>> A signal handler race condition was found in OpenSSH's server (sshd),
>> where a client does not authenticate within LoginGraceTime seconds (120 by
>> default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is
>> called asynchronously. However, this signal handler calls various functions
>> that are not async-signal-safe, for example, syslog().
>>
>> * Solution:
>>
>> Upgrade to the latest version of OpenSSH
>>
>> Download and apply the upgrade from:
>> ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH
>>
>> The latest version of OpenSSH is 9.6.
>>
>> While you can always build OpenSSH from source, many platforms and
>> distributions provide pre-built binary packages for OpenSSH. These
>> pre-built packages are usually customized and optimized for a particular
>> distribution, therefore we recommend that you use the packages if they are
>> available for your operating system.
>>
>> Running SSH service
>> Product OpenSSH exists -- OpenBSD OpenSSH 9.8
>> Vulnerable version of product OpenSSH found -- OpenBSD OpenSSH 9.8
>> Vulnerable version of OpenSSH detected on Microsoft Windows
>>
>> My Cygwin installation is using openssh 9.8p1-1 which, at this writing, is
>> the latest available version.
>>
>> What are the plans to address this vulnerability in cygwin's openssh
>> component?
>>
>
> I'm not sure I understand the concern. When I look at CVE-2024-6387[1], it
> says version 9.8 (which you are running) is not affected.
>
> [1] https://nvd.nist.gov/vuln/detail/CVE-2024-6387
This appears to be a not so good vulnerability scan product report, as it does
not definitively point to the path and version considered vulnerable, it says
*9.6* is the latest version, which would make it 6 months out of date, and if it
is Cygwin 9.8p1 it is reporting on, regreSSHion is reported as an OpenSSH sshd
RCE with Linux glibc issue by RH CNA against RH CPEs which may have their own
patches causing issues, and 9.8p1 should fix any issues.
It is more likely it may be detecting and reporting on Windows ancient version:
$ llgo /proc/cygdrive/c/windows/system32/OpenSSH/
total 3.0M
-rwxr-x---+ 2 387K May 19 2021 moduli*
-rwxr-x---+ 2 301K May 19 2021 scp.exe*
-rwxr-x---+ 2 366K May 19 2021 sftp.exe*
-rwxr-x---+ 2 300K May 19 2021 sftp-server.exe*
-rwxr-x---+ 2 924K May 19 2021 ssh.exe*
-rwxr-x---+ 2 470K May 19 2021 ssh-add.exe*
-rwxr-x---+ 2 374K May 19 2021 ssh-agent.exe*
-rwxr-x---+ 2 985K May 19 2021 sshd.exe*
-rwxr-x---+ 2 2.3K May 19 2021 sshd_config_default*
-rwxr-x---+ 2 647K May 19 2021 ssh-keygen.exe*
-rwxr-x---+ 2 545K May 19 2021 ssh-keyscan.exe*
-rwxr-x---+ 2 148K May 19 2021 ssh-shellhost.exe*
$ /proc/cygdrive/c/windows/system32/OpenSSH/ssh -V
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
unless that has been purged from your systems.
That NVD report has a bunch of links to RH issues irrelevant to the RCE.
--
Take care. Thanks, Brian Inglis Calgary, Alberta, Canada
La perfection est atteinte Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer but when there is no more to cut
-- Antoine de Saint-Exupéry
--
Problem reports: https://cygwin.com/problems.html
FAQ: https://cygwin.com/faq/
Documentation: https://cygwin.com/docs.html
Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |