{"uuid": "9643aeff-5522-4bd7-b2d7-069e012cd6b0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2008-4109", "type": "seen", "source": "https://t.me/tech_b0lt_Genona/4551", "content": "> but OpenBSD is notably not vulnerable\n\n\u0421\u043b\u0430\u0432\u0430 \u041f\u0430\u0442\u0440\u0438\u043a\u0443 \u0422\u0435\u043e\n\nThis regression was introduced in October 2020 (OpenSSH 8.5p1) by commit\n752250c (\"revised log infrastructure for OpenSSH\"), which accidentally\nremoved an \"#ifdef DO_LOG_SAFE_IN_SIGHAND\" from sigdie(), a function\nthat is directly called by sshd's SIGALRM handler. In other words:\n\n- OpenSSH < 4.4p1 is vulnerable to this signal handler race condition,\n  if not backport-patched against CVE-2006-5051, or not patched against\n  CVE-2008-4109, which was an incorrect fix for CVE-2006-5051;\n\n- 4.4p1 <= OpenSSH < 8.5p1 is not vulnerable to this signal handler race\n  condition (because the \"#ifdef DO_LOG_SAFE_IN_SIGHAND\" that was added\n  to sigdie() by the patch for CVE-2006-5051 transformed this unsafe\n  function into a safe _exit(1) call);\n\n- 8.5p1 <= OpenSSH < 9.8p1 is vulnerable again to this signal handler\n  race condition (because the \"#ifdef DO_LOG_SAFE_IN_SIGHAND\" was\n  accidentally removed from sigdie()).\n\nThis vulnerability is exploitable remotely on glibc-based Linux systems,\nwhere syslog() itself calls async-signal-unsafe functions (for example,\nmalloc() and free()): an unauthenticated remote code execution as root,\nbecause it affects sshd's privileged code, which is not sandboxed and\nruns with full privileges. We have not investigated any other libc or\noperating system; but OpenBSD is notably not vulnerable, because its\nSIGALRM handler calls syslog_r(), an async-signal-safer version of\nsyslog() that was invented by OpenBSD in 2001.\n\nregreSSHion: RCE in OpenSSH's server, on glibc-based Linux systems\n(CVE-2024-6387)\nhttps://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt", "creation_timestamp": "2024-07-01T10:01:49.000000Z"}