A newly discovered OpenSSH vulnerability in FreeBSD systems has been reported. This critical flaw, identified as CVE-2024-7589, could allow attackers to execute remote code with root privileges without any prior authentication. The vulnerability affects all supported versions of FreeBSD, highlighting the urgent need for immediate action to secure systems.
The core issue lies in a signal handler within the SSH daemon (sshd) that interacts with logging functions not deemed async-signal-safe. This handler is activated when a client fails to authenticate within the default LoginGraceTime period of 120 seconds. The problem arises from this signal handler calling logging functions that are unsafe to execute in an asynchronous signal context, creating a race condition that attackers can exploit for arbitrary remote code execution.
Critical OpenSSH Vulnerability in FreeBSD
Specifically, this flaw is linked to the integration of the backlisted service within FreeBSD’s OpenSSH implementation. The faulty code is situated in a part of the sshd process that operates with full root privileges, which amplifies the risk associated with this vulnerability. Attackers who manage to exploit this race condition could gain unauthenticated remote access and execute code as the root user.
In response to the critical OpenSSH vulnerability, FreeBSD has released security advisories and patches. These updates address the issue across multiple versions of the FreeBSD operating system, with corrections applied to Stable/13 and Stable/14 on August 6, 2024, and to Releng/13.3, Releng/14.0, and Releng/14.1 on August 7, 2024.
These patches are available for both binary and source code updates. For binary patching, users on the amd64, arm64, or i386 platforms can use the FreeBSD-update utility to fetch and install updates.
For those opting for source code updates, the process involves fetching the relevant patch, verifying its PGP signature, applying the patch, and recompiling the operating system. Detailed instructions are provided in the FreeBSD security advisory, which also outlines how to verify the applied patches and associated commit hashes.
Workaround and Recommendations
If immediate patching is not feasible, FreeBSD administrators can mitigate the risk by setting LoginGraceTime to 0 in the /etc/ssh/sshd_config file and restarting the sshd service. This adjustment eliminates the remote code execution risk but may expose the system to denial-of-service attacks due to the potential exhaustion of all MaxStartups connections.
Given the severity of CVE-2024-7589, system administrators are strongly advised to apply the available updates as soon as possible. The vulnerability’s nature, allowing unauthenticated remote code execution in a privileged context, means that it poses a significant risk of full system compromise. Exploitation could lead to unauthorized access, data exfiltration, or malware installation.
The OpenSSH vulnerability in FreeBSD shares similarities with CVE-2024-6387, which affected OpenSSH on Linux systems. However, CVE-2024-7589 is specific to FreeBSD’s implementation, particularly its integration with blacklistd. This distinction highlights the critical need for tailored security measures across different operating systems and configurations.
