DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 46HGlrlS472865 Authentication-Results: delorie.com; dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=gn5zR71z X-Recipient: archive-cygwin AT delorie DOT com DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 4DFB5386076C DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; s=default; t=1721234871; bh=k/LIHHAaXbcYz39BnVFCtZgypiA1zWawxgtb6eQ/BTA=; h=Date:Subject:To:References:In-Reply-To:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=gn5zR71zbYpJvR/g4ww+GyRjQ/QtOq9LHyvPttn6ZAEo946Py0gJWO4y8zewNO6qQ JlPTwZkAvKoiE1H6vN8NIJdoswg5Wz8lmc/kLDGaiw+Ob9wjO5rR2Wp3ppsOa4mpS1 WKVVEF4Iw5yeyEWncwezoAwcaPfj/g0ah6GhmI2o= X-Original-To: cygwin AT cygwin DOT com Delivered-To: cygwin AT cygwin DOT com DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org E1C923858288 ARC-Filter: OpenARC Filter v1.0.0 sourceware.org E1C923858288 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1721234813; cv=none; b=tAe0Z0Q1bnAhmCFpeDQgAAmNcw05u2KWWZzt84y1wnPMxRQeS0zEOceEY0jiWpxCHxrfxAzVmK/zJBncY31wMsc0bLw0bkbAZBT45zqjBw8ysj0TM2rgekcCCfmDGruaEXUnHcjFQM8e8EMTw97ER3UyusF6nsctkknBnlOKRoU= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1721234813; c=relaxed/simple; bh=Vl1SuI4QQo72MNoNmUAEkXYgso/KMKpbzeNC7o3UXAw=; h=Message-ID:Date:MIME-Version:Subject:To:From; b=EzcEjSCbTFXFUmysdzuQxOwW4JpdOMjurut/i5rbZ8jx1y+uS1av0VIZpfCymLT5KHBDiR4+X/MqT55+zIYUzt5g2kByczXO6LcX6CSO+Y+U4trxeHnPBEUt/YgA9FRwplrIDX2hxv6ggukAfz5xBFSr2L4o4iBU2dHHjgUq8uk= ARC-Authentication-Results: i=1; server2.sourceware.org Message-ID: <188ed7a8-b8ad-4dc1-913c-708312b2771f@SystematicSW.ab.ca> Date: Wed, 17 Jul 2024 10:46:47 -0600 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: ssh vulnerability CVE-2024-6387 Content-Language: en-CA To: cygwin AT cygwin DOT com References:

Organization: Systematic Software In-Reply-To: X-Rspamd-Queue-Id: 0215C32 X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS, KAM_NUMSUBJECT, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H5, RCVD_IN_MSPIKE_WL, SPF_HELO_PASS, SPF_PASS, TXREP, UNPARSEABLE_RELAY autolearn=no autolearn_force=no version=3.4.6 X-Stat-Signature: zhaawd63axb4no3k4t3h78rnyo7qpc5i X-Rspamd-Server: rspamout08 X-Session-Marker: 427269616E2E496E676C69734053797374656D6174696353572E61622E6361 X-Session-ID: U2FsdGVkX1/xlLA1rWwDZF5b/QiR9z4f9wYWY5huHtM= X-HE-Tag: 1721234808-60436 X-HE-Meta: U2FsdGVkX1+F04rmOYeuHquqyVmOiwBjwxlwlTVv17B9L/4pkTagsg9AoP2SN4vpSLlENSByfqXzGp/l/QNwVXrkMUuoO+GYROUorW5EbtuXkeeUTg8QmoNxvFhnaRxb7PlfOSW1qKboxvDdIPfSL0apjjGcuKHvjGzagsElpzPWDBYwFWsKZ8Kq+4hlnYihb/2D45/crSvL7xepiahZJxQC0Tc0Gy7znMDe7s4QSJ7FsY/D8WFLR1vWEpdRRkRIJMFIwIGwr3fQYoa+9ex0U5PDVeQN5YwX+MNqwzayKs8Tdx6B/OuGRAJ5QNWItEh72sObjwsZSp0Om66yWrwbtNQLtBBgpY0B4+ykt0ZaT/6dz5L5JHwe7VGfCP6jih868Nt3iNZBploSeifPcFGiprvFit8GNZCTQ/CiqjIpU+aQamaw/dCxUrEc3lJ6autIpHBxnDHPFsjzV1EsJKLsOg== X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: cygwin AT cygwin DOT com X-Mailman-Version: 2.1.30 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Brian Inglis via Cygwin Reply-To: cygwin AT cygwin DOT com Cc: Brian Inglis Content-Type: text/plain; charset="utf-8"; Format="flowed" Errors-To: cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com Sender: "Cygwin" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by delorie.com id 46HGlrlS472865 On 2024-07-17 07:25, Bill Stewart via Cygwin wrote: > On Wed, Jul 17, 2024 at 6:25 AM Lemons, Terry via Cygwin wrote: > Vulnerability scanners run at my company have detected the following >> vulnerability in the Cygwin sshd: >> >> CVE-2024-6387 CVSS 3: 8.1 >> >> OpenSSH could allow a remote attacker to execute arbitrary code on the >> system, caused by a signal handler race condition. By sending a specially >> crafted request, an attacker could exploit this vulnerability to execute >> arbitrary code with root privileges on glibc-based Linux systems. >> >> OpenSSH Vulnerability: CVE-2024-6387 >> >> * Published: 07- 1-24 00:00 >> * Diagnosis: >> >> A signal handler race condition was found in OpenSSH's server (sshd), >> where a client does not authenticate within LoginGraceTime seconds (120 by >> default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is >> called asynchronously. However, this signal handler calls various functions >> that are not async-signal-safe, for example, syslog(). >> >> * Solution: >> >> Upgrade to the latest version of OpenSSH >> >> Download and apply the upgrade from: >> ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH >> >> The latest version of OpenSSH is 9.6. >> >> While you can always build OpenSSH from source, many platforms and >> distributions provide pre-built binary packages for OpenSSH. These >> pre-built packages are usually customized and optimized for a particular >> distribution, therefore we recommend that you use the packages if they are >> available for your operating system. >> >> Running SSH service >> Product OpenSSH exists -- OpenBSD OpenSSH 9.8 >> Vulnerable version of product OpenSSH found -- OpenBSD OpenSSH 9.8 >> Vulnerable version of OpenSSH detected on Microsoft Windows >> >> My Cygwin installation is using openssh 9.8p1-1 which, at this writing, is >> the latest available version. >> >> What are the plans to address this vulnerability in cygwin's openssh >> component? >> > > I'm not sure I understand the concern. When I look at CVE-2024-6387[1], it > says version 9.8 (which you are running) is not affected. > > [1] https://nvd.nist.gov/vuln/detail/CVE-2024-6387 This appears to be a not so good vulnerability scan product report, as it does not definitively point to the path and version considered vulnerable, it says *9.6* is the latest version, which would make it 6 months out of date, and if it is Cygwin 9.8p1 it is reporting on, regreSSHion is reported as an OpenSSH sshd RCE with Linux glibc issue by RH CNA against RH CPEs which may have their own patches causing issues, and 9.8p1 should fix any issues. It is more likely it may be detecting and reporting on Windows ancient version: $ llgo /proc/cygdrive/c/windows/system32/OpenSSH/ total 3.0M -rwxr-x---+ 2 387K May 19 2021 moduli* -rwxr-x---+ 2 301K May 19 2021 scp.exe* -rwxr-x---+ 2 366K May 19 2021 sftp.exe* -rwxr-x---+ 2 300K May 19 2021 sftp-server.exe* -rwxr-x---+ 2 924K May 19 2021 ssh.exe* -rwxr-x---+ 2 470K May 19 2021 ssh-add.exe* -rwxr-x---+ 2 374K May 19 2021 ssh-agent.exe* -rwxr-x---+ 2 985K May 19 2021 sshd.exe* -rwxr-x---+ 2 2.3K May 19 2021 sshd_config_default* -rwxr-x---+ 2 647K May 19 2021 ssh-keygen.exe* -rwxr-x---+ 2 545K May 19 2021 ssh-keyscan.exe* -rwxr-x---+ 2 148K May 19 2021 ssh-shellhost.exe* $ /proc/cygdrive/c/windows/system32/OpenSSH/ssh -V OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2 unless that has been purged from your systems. That NVD report has a bunch of links to RH issues irrelevant to the RCE. -- Take care. Thanks, Brian Inglis Calgary, Alberta, Canada La perfection est atteinte Perfection is achieved non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add mais lorsqu'il n'y a plus rien à retirer but when there is no more to cut -- Antoine de Saint-Exupéry -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple