CVE-2024-7589: OpenSSH Pre-Authentication Vulnerability in FreeBSD Exposes Systems to RCE
In a recent security advisory, the FreeBSD Project disclosed a critical vulnerability (CVE-2024-7589) in OpenSSH, the widely-used implementation of the SSH protocol suite. This vulnerability could allow a determined attacker to execute arbitrary code remotely with root privileges, potentially compromising the entire system.
OpenSSH is a widely-used implementation of the SSH protocol suite, providing secure, encrypted communication for remote shell access and other services. The vulnerability in question stems from an issue with a signal handler in the sshd daemon. When a client fails to authenticate within the LoginGraceTime (120 seconds by default), a signal handler is invoked. Unfortunately, this signal handler may call a logging function that is not designed to be safe for asynchronous signals, creating a potential race condition.
This flaw is particularly concerning because the sshd daemon runs with full root privileges and is not sandboxed, meaning that an attacker who successfully exploits this race condition could execute arbitrary code on the target system with root-level access.
The primary impact of CVE-2024-7589 is the risk of unauthenticated remote code execution as root. If exploited, this vulnerability could allow a determined attacker to gain complete control over a vulnerable FreeBSD system, leading to potentially severe consequences, including data theft, service disruption, and unauthorized access to critical infrastructure.
This issue is closely related to a previous vulnerability (CVE-2024-6387) that was addressed earlier in the year. In this case, the faulty code is linked to the integration of blacklistd in OpenSSH on FreeBSD, which introduced the unsafe signal handler.
For administrators unable to immediately update their FreeBSD systems, a temporary workaround is available. By setting LoginGraceTime to 0 in the /etc/ssh/sshd_config file and restarting sshd, the race condition can be mitigated. However, this workaround comes with its risks—specifically, it makes the system vulnerable to a denial-of-service (DoS) attack by exhausting all MaxStartups connections. While this mitigates the remote code execution risk, it is not a long-term solution and should only be used as a stopgap measure.
The FreeBSD Project strongly recommends upgrading to a supported stable or release/security branch that includes the necessary patch to fix this vulnerability. The following FreeBSD versions have been updated to address CVE-2024-7589:
- FreeBSD OS 14.0
- FreeBSD OS 14.1
- FreeBSD OS 13.3
After upgrading, administrators should restart sshd to apply the changes and ensure their systems are protected against potential exploitation.
