FreeBSD releases new patch for regreSSHion-related RCE flaw

FreeBSD warned users last week that an additional patch is needed to fix the OpenSSH vulnerability known as “regreSSHion,” which was first addressed in early July.

FreeBSD, an open-source Unix-based operating system, uses OpenSSH to implement the Secure Shell Protocol (SSH) for services such as remote shell access.

On July 1, the Qualys Threat Research Unit disclosed a high-severity vulnerability in OpenSSH that could lead to remote code execution (RCE) with root privileges. The flaw, tracked as CVE-2024-6387, affected more than 14 million internet-exposed instances across various Linux and Unix-based systems.  

FreeBSD first addressed CVE-2024-6387 with updates to stable versions 13 and 14, and release engineering (releng) versions 13.2, 13.3, 14.0 and 14.1 on July 1, but later discovered another version of the flaw resulting from its integration of the blacklistd daemon with OpenSSH.

This version of the flaw, disclosed Aug. 7 and tracked as CVE-2024-7589, poses the same RCE risk as the original regreSSHion flaw and requires additional updates to stable versions 13 and 14, and releng versions 13.3, 14.0 and 14.1.  

Detailed instructions for applying the necessary patches are available in the latest advisory.

If immediate patching is not possible, users can prevent RCE by setting the LoginGraceTime to 0 in /etc/ssh/sshd_config and restarting sshd(8). This workaround leaves instances vulnerable to denial of service, but prevents attackers from exploiting the flaw to perform RCE with root privileges.

‘RegreSSHion’ flaw stems from faulty implementation of logging function

Both versions of the regreSSHion flaw can result in a race condition due to the calling of a logging function by a signal handler in sshd(8) that is not async-signal-safe. This logging function is called when a client fails to authenticate to the server within the LoginGraceTime, which is set to 120 seconds by default.

Because this logging function cannot be safely called by the signal handler, a race condition error occurs that “a determined attacker may be able to exploit to allow an unauthenticated remote code execution as root,” according to the FreeBSD advisory.

Unauthorized code could be executed as root due to the affected signal handler executing within the context of sshd(8)’s code, which runs with full root privileges and is not sandboxed.

The flaw was dubbed “regreSSHion” by Qualys due to the fact that flaw originally appeared in 2006, when it was tracked as CVE-2006-5051, and was later reintroduced into OpenSSH after an October 2020 update.

Widespread use of OpenSSH for SSH implementation resulted in a wide exposure of Linux distributions and other Unix-based systems; Cisco found in early July that 42 of its products were affected by the flaw, with nearly 40 more products added to the list of vulnerable products in subsequent updates.  

Another high-severity regreSSHion-related flaw, tracked as CVE-2024-6409, was discovered in OpenSSH a week after CVE-2024-6387 was announced, which can also lead to RCE due to a race condition error but involves a child process that does not have the same root privileges as sshd(8).