Mail Archives: cygwin/2024/07/17/08:26:01

"Lemons, Terry via Cygwin" <cygwin AT cygwin DOT com> · Wed, 17 Jul 2024 12:25:14 +0000

Hi

Vulnerability scanners run at my company have detected the following vulnerability in the Cygwin sshd:

<https://dellinclabs.kennasecurity.com/vulnerabilities/341847636>
CVE-2024-6387    CVSS 3: 8.1<https://dellinclabs.kennasecurity.com/vulnerabilities/341847636>

OpenSSH could allow a remote attacker to execute arbitrary code on the system, caused by a signal handler race condition. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code with root privileges on glibc-based Linux systems.

OpenSSH Vulnerability: CVE-2024-6387

  *   Published: 07- 1-24 00:00
  *   Diagnosis:

A signal handler race condition was found in OpenSSH's server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog().

  *   Solution:

Upgrade to the latest version of OpenSSH

Download and apply the upgrade from: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH

The latest version of OpenSSH is 9.6.

While you can always build OpenSSH from source<http://www.openssh.com/portable.html>, many platforms and distributions provide pre-built binary packages for OpenSSH. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.

Running SSH service
Product OpenSSH exists -- OpenBSD OpenSSH 9.8
Vulnerable version of product OpenSSH found -- OpenBSD OpenSSH 9.8
Vulnerable version of OpenSSH detected on Microsoft Windows

My Cygwin installation is using openssh 9.8p1-1 which, at this writing, is the latest available version.

What are the plans to address this vulnerability in cygwin's openssh component?

Thanks
tl

Terry Lemons
Senior Principal Software Engineer, Dell EMC
Dell Technologies | Data Management
Terry DOT Lemons AT dell DOT com<mailto:Terry DOT Lemons AT dell DOT com>

Internal Use - Confidential

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

DKIM-Filter:	OpenDKIM Filter v2.11.0 delorie.com 46HCQ1XL396243
Authentication-Results:	delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=T0lcoz5l
X-Recipient:	archive-cygwin AT delorie DOT com
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org 5C12F385841D
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1721219159;
	bh=p5yMbye0BfMtXnJrcaHmXDIzwbQ/qCIjWcyRU6mlC/M=;
	h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post:
	List-Help:List-Subscribe:From:Reply-To:From;
	b=T0lcoz5l8BZ6xlNivOwXN1RZBryboVnf0rVhjiNFvpN+iyJbdgDt4QZYr0LAKXt/+
	2IO6o1u5MTRRDXCWR5q5cvTkWlA+2Knc0vtIpZ0m4+bRs22t0srWQ3xTiDWDL1nOHd
	+RSrIMdlr4xUmnKrN53z8Oky2vwNCNmZ0aFdsFoI=
X-Original-To:	cygwin AT cygwin DOT com
Delivered-To:	cygwin AT cygwin DOT com
DMARC-Filter:	OpenDMARC Filter v1.4.2 sourceware.org 1BBF53858C52
ARC-Filter:	OpenARC Filter v1.0.0 sourceware.org 1BBF53858C52
ARC-Seal:	i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1721219135; cv=pass;
	b=m1yAZfM5NHiqvYCKuni8aMKJa18dZFAynldzDbYYZhOJtLoBS8G+4XY1XdOAafXovYtCF6BajR84b5cE/GbssIiiRyiZdGSwe5sMenVLlhWzMf5JOzgSFHWzSZUciXEVrMcwu+5kX4muuiQfI3rXNvEEd8827AQlUOMtY2bBD6w=
ARC-Message-Signature:	i=2; a=rsa-sha256; d=sourceware.org; s=key;
	t=1721219135; c=relaxed/simple;
	bh=GE5iOUy7Ie0uGGtcoFUtzfj7C1V9ri5WpuaKQYzxUDI=;
	h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version;
	b=YzbZfVpruSvVfkghCknrOTS8PAUU37TtAoJcBs21R78n0zUqvy62H4+5HMGOEeAlUBUzetrThcIVqRQx4iMTxsn6yaLRHQ530wQg69EaBWx4O/9z4kZ47DemUCBfhGzG6Yg71Gt3djKNYjw+f8Ea5p4f7Q/ecjtxysyTA2HfIXo=
ARC-Authentication-Results:	i=2; server2.sourceware.org
ARC-Seal:	i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
	b=GYlTr0aismDxYBbDMYSCJDPgXsXP7pxD3EJJ4/he/GNv63pUjnnW09lgYxQ39BUljMf5Zlme5YH/4qs4WTHShO4Rik18jlYYb+A4eqv2pRBbrHiSgDXVtaX7FenQZz2z1+YuVSpEnEt4Sdb/eJ/sf2hkLbFP/r+B2qDHTjbC7+Wr9EMa8OSS7kFWQB9IgIucDSLyXFo1KB9pt3+8nxiTw5rj5hmAuH8ozEOvVte1cuffpWvaPeHb6aRKyLz4gpcvRsNOS22F7T/MzbzLgMgzbmRh5VRRzhkHFXVmfQLUPrkvoGl+wjQp7UYFDDgrv582YgYs4kYPJx7k7/FaH9BWbw==
ARC-Message-Signature:	i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
	s=arcselector10001;
	h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
	bh=4uLfgiImTow2IaDuaN+nzPF8sdvL4VyVK39iFS7qJzk=;
	b=roUskQWEMkJiKfqAw0GwGFlu7UMawkkUpi3GlMEjwddhrpdwskaR+ls2pOOgymrCyoW3JjK6giY+ACXma/8TGufuctgHPZobjozgpFy9xC28HEqnnwOl3Ch8WiONqdp3LUqkRTi8TnvUJ0HyEg4CT6+NBUMJsPuxqA2lVanLS+ozGOKA9Jv8BXE+Gnu3ADIDvb1SivcA42djITlUOpbHKCQSKOR1nf1Atn3EwhW4LxPkZaVZ0udqxXARDe8qY6g1AuVjB3GTZeSejAk7zniffDowEKVxtfkPRYHwboLNKsq+rSNBxktu3/CtbdDQ8VpDoH/1bbeEa/dmED3jyNQdgw==
ARC-Authentication-Results:	i=1; mx.microsoft.com 1; spf=pass
	smtp.mailfrom=dell.com; dmarc=pass action=none header.from=dell.com;
	dkim=pass header.d=dell.com; arc=none
To:	"cygwin AT cygwin DOT com" <cygwin AT cygwin DOT com>
Subject:	ssh vulnerability CVE-2024-6387
Thread-Topic:	ssh vulnerability CVE-2024-6387
Thread-Index:	AdrYQ5BT/pS9gsGXSGGbQqL911CG0Q==
Date:	Wed, 17 Jul 2024 12:25:14 +0000
Message-ID:	<LV2PR19MB57671F587EAAF01EAB42666DE4A32@LV2PR19MB5767.namprd19.prod.outlook.com>
Accept-Language:	en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:	MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_ActionId=2c4ed451-b897-4309-b9e1-db1d3f2e88cb;
	MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_ContentBits=0;
	MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_Enabled=true;
	MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_Method=Standard;
	MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_Name=No
	Protection (Label Only) - Internal Use;
	MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_SetDate=2024-07-17T12:18:50Z;
	MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_SiteId=945c199a-83a2-4e80-9f8c-5a91be5752dd;
x-ms-publictraffictype:	Email
x-ms-traffictypediagnostic:	LV2PR19MB5767:EE_\|SN7PR19MB6995:EE_
x-ms-office365-filtering-correlation-id:	927fd30a-17a2-4726-a7a3-08dca65b8278
x-exotenant:	2khUwGVqB6N9v58KS13ncyUmMJd8q4
x-ms-exchange-senderadcheck:	1
x-ms-exchange-antispam-relay:	0
x-microsoft-antispam:	BCL:0; ARA:13230040\|1800799024\|366016\|376014\|38070700018;
x-microsoft-antispam-message-info:	=?us-ascii?Q?bQhgzmkRS41FoQF1ktT49tjlS7GI2ivSA5RQwb+PxE3/Jtmp0oh65YWxi/LG?=
	=?us-ascii?Q?xPLl9iqyTK3WthOyMxKVjFGzQOz15kWWB4nOEFUaqI5N+rAT6c6NKehds/Cj?=
	=?us-ascii?Q?ETc/+BP2A22jQJgLxizXGiIPBRlAh12B0P5EWjS9gJnU2pmG+EJJzG01lsb2?=
	=?us-ascii?Q?tUH9+FjyQEgDWpH1U/dCMiyDrkDV50HZwDqSS0pvh408wcBvKihQuKQHQu+C?=
	=?us-ascii?Q?ZacPzkkT9+ZqF3F9aevv5NjquOsIpxlUeilC/WEkxwmxHpo8aJh1HpEOWmA4?=
	=?us-ascii?Q?jf9PRLAvWi3Osxeom0vcbwQZ5ALjUbvL20mGXCBNHfFIr4LJXvTMNWlG1JNA?=
	=?us-ascii?Q?cdGyjYbvSw8TKm2VvuBnzdnJb+Zg2FRu9/BR4HZ+H/RVTTXTcHd+W1cOilQe?=
	=?us-ascii?Q?EoYgPuJwYvOC1TiEd54TugktV67+LhDdj2x7eRG5UEnKQlaifXIUP3EbPRaz?=
	=?us-ascii?Q?GKePUUs9L109Zz4PDcPBffrZbqMErsTx9Bd3KQ5SRgiHERphI+/2Q04CtbLG?=
	=?us-ascii?Q?gPngbqFej0ymo11C5E/vZEsGpV3tROTrWK/TCpJl0UJcQxbHsZytCAdpYBX3?=
	=?us-ascii?Q?iccU6LB/VZqa3Y6aKWg3Pv50rdHRorch8eNKJyjE4KU9BCl8vn/LXdmTw7OT?=
	=?us-ascii?Q?MYaxcYSX5bde6mEHxdXKAgpbmiwGd+/IDx4mEyHSYr/Iy1QuYKKEv6qO3a/p?=
	=?us-ascii?Q?ybLzEmCamS4SJjS8YH7JDV/uH5JRcQ7BFEN96zIsaQV5Dw1jjlJaRaIbQone?=
	=?us-ascii?Q?uB6JhR5XB24Uo4Bc7jW51cA74xuOk+JyF5OlMHikzOe19/x5oe6HbeoiwzQr?=
	=?us-ascii?Q?ZvRuEHzzxR+wMdJ7SuVySMBeP1NApTb1jB60Qrc8bi3Oco2ZWLMQ9fq6UsZm?=
	=?us-ascii?Q?kqW8FXmiKS0Rq5D07omxR1BR8keE0RB9LV7n5+uFznNhVnW7O+tzlmyZgiMS?=
	=?us-ascii?Q?ABcUv+TJfbmDVK9nW7hm1vPC/eJdeyytuN7nCbXZu1oR5Wui9dz6qTqtFImq?=
	=?us-ascii?Q?5wcTJ+zXqpJd8HuXy2RI4fCFwHqU/OFXFE7+OhaA5eagwlxutCVa5ZJ2ZCR4?=
	=?us-ascii?Q?2q0ahGtk/P5iQII0NDdRpDlmz3yg0XTACO+xaS8HkwbK1PBSxahIv2q7P+Wy?=
	=?us-ascii?Q?5RccHqEKQ9AK9QSnrAYxho3tlFdZxFpqm1HpU7nNGwNtyCtaK1Btid8x6Zp/?=
	=?us-ascii?Q?rBeRG1GRByD3u0RFte868z/6o6wCqVcq6sHVf8fvnZ7kJWT4l2SRDmTUjbo4?=
	=?us-ascii?Q?KyzxDKLYkSymx7FogSPr8FM6a+M8Y4c2yiA+hFBV5ABEvljnGnPkSIH6J0sP?=
	=?us-ascii?Q?K1Swa3Q6a2pxeeGH8ACnhOYqkhEOp2GpPkjOEDblNzTBT2meQWjbXRlhclao?=
	=?us-ascii?Q?w2wLgHk=3D?=
x-forefront-antispam-report:	CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
	IPV:NLI; SFV:NSPM; H:LV2PR19MB5767.namprd19.prod.outlook.com; PTR:; CAT:NONE;
	SFS:(13230040)(1800799024)(366016)(376014)(38070700018); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount:	1
x-ms-exchange-antispam-messagedata-0:	=?us-ascii?Q?lUvecvlZFe3oCvj2nAxuk+BLML6x8jbXQ/pLGMmMl+K7ms9Ar6xap20npR+B?=
	=?us-ascii?Q?8mvFt4X5bCh/O+oNH+2e/2m0zQkbo4CJrN9iSKjt8z6iSS/yRzDsqHaGCsTa?=
	=?us-ascii?Q?FTLc2EhdBvKpQZjDvoPYpSKbGhSwYOGlK20aIl7g4SiS0OGT8GBC9T99k/38?=
	=?us-ascii?Q?IZb1FPiFEIm/Ud53fB8a1mfyU1sRlF8jRwj2QvJV/kq19BqkkHSmjmgbuR72?=
	=?us-ascii?Q?X02j+oGQ4rf8WeYQPBCZ+6Dk2kd2GgGqc4347Rm43IWW06ryxp6jl9hslK5S?=
	=?us-ascii?Q?vdYJOrw4UIn8TW3BpL31pksmVk20KU6tL9HEtUd04iPZgoRNu7pAAZzLPsCQ?=
	=?us-ascii?Q?PkGoE9AcGsMbOqRQqQcnNLAQd9ROANBT+EwNxmR/QQo24bq0bhmxKnTMyFnb?=
	=?us-ascii?Q?C27ZtdsTmR6zZjkwkYlsyH80Jmx5VJoKWr7z9P+TCtx2Zco4oCe58P6gL3tv?=
	=?us-ascii?Q?F2vDzReRtYoowfvPEBIaBHjLFoEgRnGKY3AJhOzHCLX37BJWMa925euF0sUN?=
	=?us-ascii?Q?Zj66hQiJwhMnP15Sv03qjbiqKd9qHkQnE1eOUyYEQVGwXjr+e/a0dQmM4E7Y?=
	=?us-ascii?Q?0gcHd/+xnSZ6S84jfka4xpXo6i/B49xHEzRKblJzt41YPmQ53nH7dWOJXHBH?=
	=?us-ascii?Q?JU8IjhD8Y/ea/VtlDO1DpdkjaKvt5g63FbrhpMuA4CshBI7m8tu3X8Ca0nKj?=
	=?us-ascii?Q?qauxXL8jfICs+nEquWh/gTm33AIGdJpcjrm+cWJ6mR/2gixLRIK0Fnw0+Q5h?=
	=?us-ascii?Q?s6xBudzS5HV/vXWq0BYe2Exc1CEUgfoKbWTMqixPCaXYpdbgRitlihFsLCSj?=
	=?us-ascii?Q?ZHM9TYFNxx9/EnpR5d1Ai+BwMZVpWCjV4EDurtbU3bhUIgtlHz/p3eJz2LQX?=
	=?us-ascii?Q?ANpBvkdkZ7DP22l5z0gFUfSkKpN0gjhk5L84YNzHrCo+brTAmZ/tzNvijVHt?=
	=?us-ascii?Q?8EFMJVQSaIOUQHnS0/P6wibUns31s85kpis+AFac2jU550MvD35REZ415Fef?=
	=?us-ascii?Q?QwSoziS4w2iEclmR4mnik0r/0YlZ8JemOgykLxr7MznXzeQGVMVZ5DQN9nIc?=
	=?us-ascii?Q?UbhDa4zXPZn3uPYQ062ikzr0WVUCPr1c2zvLYD3uMX1Bvht8bjs/MBCutCu9?=
	=?us-ascii?Q?LlyPZ7vxAeRDpmp3n7jknfU6/aiCvflpW/zHxBht7L9oxEaNE3ds2AF9LmB4?=
	=?us-ascii?Q?TkNSThzRR+49NnHZ6Q047dGdNwaQS7ifljTOcYHBZl57yE7ZugCiyLkUAX+R?=
	=?us-ascii?Q?yteNAx6QxL7W22VICneNQBs4DsJldrKh4e7yPAaYN9LHZ1wCFu4iIw3iSARc?=
	=?us-ascii?Q?d/DTHFpT6d6NWVCWfGB4bXL2CUkc2ZAMM9QXtrwOsm+r6oSgSiHGUF6e6eaA?=
	=?us-ascii?Q?FpzA497REZo+6dVV2Ne84s+xv5KUFHTkMy4cR7rhX2E9dDig/oF6kupK0Zk2?=
	=?us-ascii?Q?GypchA2MKB3uAptsbprKKiAo6x/Oro49s6vrpsfyTjRgqhn8MwEXoTgjy5MT?=
	=?us-ascii?Q?2f4gxqIqgnPZINZ1zHaRcYtkcf/Y2l33F6ZD6Wehw963uEOJMdBngUfPXZR3?=
	=?us-ascii?Q?lK9bv0GLtg9ySY9/ZWSNWT1bASAgDY/ws8uZfIQu?=
MIME-Version:	1.0
X-OriginatorOrg:	Dell.com
X-MS-Exchange-CrossTenant-AuthAs:	Internal
X-MS-Exchange-CrossTenant-AuthSource:	LV2PR19MB5767.namprd19.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id:	927fd30a-17a2-4726-a7a3-08dca65b8278
X-MS-Exchange-CrossTenant-originalarrivaltime:	17 Jul 2024 12:25:14.0743 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader:	Hosted
X-MS-Exchange-CrossTenant-id:	945c199a-83a2-4e80-9f8c-5a91be5752dd
X-MS-Exchange-CrossTenant-mailboxtype:	HOSTED
X-MS-Exchange-CrossTenant-userprincipalname:	yNEEcUmwwx0WiOcpFZjLVaqFrn2PVjyrfBVw/gfaCopDrG9uNbRdZoPOMp9zi8gLl9wrJeDioB1Ks1PNWfAT+Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped:	SN7PR19MB6995
X-Proofpoint-Virus-Version:	vendor=baseguard
	engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16
	definitions=2024-07-17_08,2024-07-17_01,2024-05-17_01
X-Proofpoint-Spam-Details:	rule=outbound_notspam policy=outbound score=0
	adultscore=0
	priorityscore=1501 impostorscore=0 bulkscore=0 spamscore=0
	lowpriorityscore=0 mlxlogscore=959 mlxscore=0 clxscore=1011 malwarescore=0
	suspectscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx
	scancount=1 engine=8.12.0-2407110000 definitions=main-2407170095
X-Proofpoint-ORIG-GUID:	_MnzuYMIAVpDPJxp6G_cbX1_kqDrYtyT
X-Proofpoint-GUID:	_MnzuYMIAVpDPJxp6G_cbX1_kqDrYtyT
X-Proofpoint-Spam-Details:	rule=notspam policy=default score=0 mlxlogscore=911
	mlxscore=0
	clxscore=1015 malwarescore=0 suspectscore=0 spamscore=0 impostorscore=0
	phishscore=0 bulkscore=0 adultscore=0 lowpriorityscore=0
	priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1
	engine=8.19.0-2407110000 definitions=main-2407170096
X-Spam-Status:	No, score=-2.4 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH,
	DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, HTML_MESSAGE,
	KAM_NUMSUBJECT, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_NONE,
	TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version:	SpamAssassin 3.4.6 (2021-04-09) on
	server2.sourceware.org
X-Content-Filtered-By:	Mailman/MimeDel 2.1.30
X-BeenThere:	cygwin AT cygwin DOT com
X-Mailman-Version:	2.1.30
List-Id:	General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Archive:	<https://cygwin.com/pipermail/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe:	<https://cygwin.com/mailman/listinfo/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From:	"Lemons, Terry via Cygwin" <cygwin AT cygwin DOT com>
Reply-To:	"Lemons, Terry" <Terry DOT Lemons AT dell DOT com>
Sender:	"Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com>

webmaster	delorie software privacy
Copyright � 2019 by DJ Delorie	Updated Jul 2019