DKIM-Filter:	OpenDKIM Filter v2.11.0 delorie.com 46HGlrlS472865
Authentication-Results:	delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=gn5zR71z
X-Recipient:	archive-cygwin AT delorie DOT com
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org 4DFB5386076C
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1721234871;
	bh=k/LIHHAaXbcYz39BnVFCtZgypiA1zWawxgtb6eQ/BTA=;
	h=Date:Subject:To:References:In-Reply-To:List-Id:List-Unsubscribe:
	List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:
	From;
	b=gn5zR71zbYpJvR/g4ww+GyRjQ/QtOq9LHyvPttn6ZAEo946Py0gJWO4y8zewNO6qQ
	JlPTwZkAvKoiE1H6vN8NIJdoswg5Wz8lmc/kLDGaiw+Ob9wjO5rR2Wp3ppsOa4mpS1
	WKVVEF4Iw5yeyEWncwezoAwcaPfj/g0ah6GhmI2o=
X-Original-To:	cygwin AT cygwin DOT com
Delivered-To:	cygwin AT cygwin DOT com
DMARC-Filter:	OpenDMARC Filter v1.4.2 sourceware.org E1C923858288
ARC-Filter:	OpenARC Filter v1.0.0 sourceware.org E1C923858288
ARC-Seal:	i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1721234813; cv=none;
	b=tAe0Z0Q1bnAhmCFpeDQgAAmNcw05u2KWWZzt84y1wnPMxRQeS0zEOceEY0jiWpxCHxrfxAzVmK/zJBncY31wMsc0bLw0bkbAZBT45zqjBw8ysj0TM2rgekcCCfmDGruaEXUnHcjFQM8e8EMTw97ER3UyusF6nsctkknBnlOKRoU=
ARC-Message-Signature:	i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1721234813; c=relaxed/simple;
	bh=Vl1SuI4QQo72MNoNmUAEkXYgso/KMKpbzeNC7o3UXAw=;
	h=Message-ID:Date:MIME-Version:Subject:To:From;
	b=EzcEjSCbTFXFUmysdzuQxOwW4JpdOMjurut/i5rbZ8jx1y+uS1av0VIZpfCymLT5KHBDiR4+X/MqT55+zIYUzt5g2kByczXO6LcX6CSO+Y+U4trxeHnPBEUt/YgA9FRwplrIDX2hxv6ggukAfz5xBFSr2L4o4iBU2dHHjgUq8uk=
ARC-Authentication-Results:	i=1; server2.sourceware.org
Message-ID:	<188ed7a8-b8ad-4dc1-913c-708312b2771f@SystematicSW.ab.ca>
Date:	Wed, 17 Jul 2024 10:46:47 -0600
MIME-Version:	1.0
User-Agent:	Mozilla Thunderbird
Subject:	Re: ssh vulnerability CVE-2024-6387
To:	cygwin AT cygwin DOT com
References:	<LV2PR19MB57671F587EAAF01EAB42666DE4A32 AT LV2PR19MB5767 DOT namprd19 DOT prod DOT outlook DOT com>
	<CANV9t=RcpX8KCc-7krkLCGtxijXgmOFim3pExvz2tBnzTojLWw AT mail DOT gmail DOT com>
Organization:	Systematic Software
In-Reply-To:	<CANV9t=RcpX8KCc-7krkLCGtxijXgmOFim3pExvz2tBnzTojLWw@mail.gmail.com>
X-Rspamd-Queue-Id:	0215C32
X-Spam-Status:	No, score=-1.7 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS,
	KAM_NUMSUBJECT, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H5, RCVD_IN_MSPIKE_WL,
	SPF_HELO_PASS, SPF_PASS, TXREP,
	UNPARSEABLE_RELAY autolearn=no autolearn_force=no version=3.4.6
X-Stat-Signature:	zhaawd63axb4no3k4t3h78rnyo7qpc5i
X-Rspamd-Server:	rspamout08
X-Session-Marker:	427269616E2E496E676C69734053797374656D6174696353572E61622E6361
X-Session-ID:	U2FsdGVkX1/xlLA1rWwDZF5b/QiR9z4f9wYWY5huHtM=
X-HE-Tag:	1721234808-60436
X-HE-Meta:	U2FsdGVkX1+F04rmOYeuHquqyVmOiwBjwxlwlTVv17B9L/4pkTagsg9AoP2SN4vpSLlENSByfqXzGp/l/QNwVXrkMUuoO+GYROUorW5EbtuXkeeUTg8QmoNxvFhnaRxb7PlfOSW1qKboxvDdIPfSL0apjjGcuKHvjGzagsElpzPWDBYwFWsKZ8Kq+4hlnYihb/2D45/crSvL7xepiahZJxQC0Tc0Gy7znMDe7s4QSJ7FsY/D8WFLR1vWEpdRRkRIJMFIwIGwr3fQYoa+9ex0U5PDVeQN5YwX+MNqwzayKs8Tdx6B/OuGRAJ5QNWItEh72sObjwsZSp0Om66yWrwbtNQLtBBgpY0B4+ykt0ZaT/6dz5L5JHwe7VGfCP6jih868Nt3iNZBploSeifPcFGiprvFit8GNZCTQ/CiqjIpU+aQamaw/dCxUrEc3lJ6autIpHBxnDHPFsjzV1EsJKLsOg==
X-Spam-Checker-Version:	SpamAssassin 3.4.6 (2021-04-09) on
	server2.sourceware.org
X-BeenThere:	cygwin AT cygwin DOT com
X-Mailman-Version:	2.1.30
List-Id:	General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe:	<https://cygwin.com/mailman/options/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive:	<https://cygwin.com/pipermail/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe:	<https://cygwin.com/mailman/listinfo/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From:	Brian Inglis via Cygwin <cygwin AT cygwin DOT com>
Reply-To:	cygwin AT cygwin DOT com
Cc:	Brian Inglis <Brian DOT Inglis AT SystematicSW DOT ab DOT ca>
Errors-To:	cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com
Sender:	"Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com>
X-MIME-Autoconverted:	from base64 to 8bit by delorie.com id 46HGlrlS472865

On 2024-07-17 07:25, Bill Stewart via Cygwin wrote:
> On Wed, Jul 17, 2024 at 6:25 AM Lemons, Terry via Cygwin wrote:
> Vulnerability scanners run at my company have detected the following
>> vulnerability in the Cygwin sshd:
>>
>> CVE-2024-6387    CVSS 3: 8.1
>>
>> OpenSSH could allow a remote attacker to execute arbitrary code on the
>> system, caused by a signal handler race condition. By sending a specially
>> crafted request, an attacker could exploit this vulnerability to execute
>> arbitrary code with root privileges on glibc-based Linux systems.
>>
>> OpenSSH Vulnerability: CVE-2024-6387
>>
>>    *   Published: 07- 1-24 00:00
>>    *   Diagnosis:
>>
>> A signal handler race condition was found in OpenSSH's server (sshd),
>> where a client does not authenticate within LoginGraceTime seconds (120 by
>> default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is
>> called asynchronously. However, this signal handler calls various functions
>> that are not async-signal-safe, for example, syslog().
>>
>>    *   Solution:
>>
>> Upgrade to the latest version of OpenSSH
>>
>> Download and apply the upgrade from:
>> ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH
>>
>> The latest version of OpenSSH is 9.6.
>>
>> While you can always build OpenSSH from source, many platforms and
>> distributions provide pre-built binary packages for OpenSSH. These
>> pre-built packages are usually customized and optimized for a particular
>> distribution, therefore we recommend that you use the packages if they are
>> available for your operating system.
>>
>> Running SSH service
>> Product OpenSSH exists -- OpenBSD OpenSSH 9.8
>> Vulnerable version of product OpenSSH found -- OpenBSD OpenSSH 9.8
>> Vulnerable version of OpenSSH detected on Microsoft Windows
>>
>> My Cygwin installation is using openssh 9.8p1-1 which, at this writing, is
>> the latest available version.
>>
>> What are the plans to address this vulnerability in cygwin's openssh
>> component?
>>
> 
> I'm not sure I understand the concern. When I look at CVE-2024-6387[1], it
> says version 9.8 (which you are running) is not affected.
> 
> [1] https://nvd.nist.gov/vuln/detail/CVE-2024-6387

This appears to be a not so good vulnerability scan product report, as it does 
not definitively point to the path and version considered vulnerable, it says 
*9.6* is the latest version, which would make it 6 months out of date, and if it 
is Cygwin 9.8p1 it is reporting on, regreSSHion is reported as an OpenSSH sshd 
RCE with Linux glibc issue by RH CNA against RH CPEs which may have their own 
patches causing issues, and 9.8p1 should fix any issues.

It is more likely it may be detecting and reporting on Windows ancient version:

$ llgo /proc/cygdrive/c/windows/system32/OpenSSH/
total 3.0M
-rwxr-x---+ 2 387K May 19  2021 moduli*
-rwxr-x---+ 2 301K May 19  2021 scp.exe*
-rwxr-x---+ 2 366K May 19  2021 sftp.exe*
-rwxr-x---+ 2 300K May 19  2021 sftp-server.exe*
-rwxr-x---+ 2 924K May 19  2021 ssh.exe*
-rwxr-x---+ 2 470K May 19  2021 ssh-add.exe*
-rwxr-x---+ 2 374K May 19  2021 ssh-agent.exe*
-rwxr-x---+ 2 985K May 19  2021 sshd.exe*
-rwxr-x---+ 2 2.3K May 19  2021 sshd_config_default*
-rwxr-x---+ 2 647K May 19  2021 ssh-keygen.exe*
-rwxr-x---+ 2 545K May 19  2021 ssh-keyscan.exe*
-rwxr-x---+ 2 148K May 19  2021 ssh-shellhost.exe*
$ /proc/cygdrive/c/windows/system32/OpenSSH/ssh -V
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2

unless that has been purged from your systems.

That NVD report has a bunch of links to RH issues irrelevant to the RCE.

-- 
Take care. Thanks, Brian Inglis              Calgary, Alberta, Canada

La perfection est atteinte                   Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter  not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer     but when there is no more to cut
                                 -- Antoine de Saint-Exupéry

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

- Raw text -