CVE - CVE-2024-6409

CVE-ID
CVE-2024-6409	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
A race condition vulnerability was discovered in how signals are handled by OpenSSH's server (sshd). If a remote attacker does not authenticate within a set time period, then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). As a consequence of a successful attack, in the worst case scenario, an attacker may be able to perform a remote code execution (RCE) as an unprivileged user running the sshd server.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:RHBZ#2295085 URL:https://bugzilla.redhat.com/show_bug.cgi?id=2295085 MISC:RHSA-2024:4457 URL:https://access.redhat.com/errata/RHSA-2024:4457 MISC:http://www.openwall.com/lists/oss-security/2024/07/08/2 URL:http://www.openwall.com/lists/oss-security/2024/07/08/2 MISC:http://www.openwall.com/lists/oss-security/2024/07/09/2 URL:http://www.openwall.com/lists/oss-security/2024/07/09/2 MISC:http://www.openwall.com/lists/oss-security/2024/07/09/5 URL:http://www.openwall.com/lists/oss-security/2024/07/09/5 MISC:http://www.openwall.com/lists/oss-security/2024/07/10/1 URL:http://www.openwall.com/lists/oss-security/2024/07/10/1 MISC:http://www.openwall.com/lists/oss-security/2024/07/10/2 URL:http://www.openwall.com/lists/oss-security/2024/07/10/2 MISC:https://access.redhat.com/security/cve/CVE-2024-6409 URL:https://access.redhat.com/security/cve/CVE-2024-6409 MISC:https://almalinux.org/blog/2024-07-09-cve-2024-6409/ URL:https://almalinux.org/blog/2024-07-09-cve-2024-6409/ MISC:https://bugzilla.suse.com/show_bug.cgi?id=1227217 URL:https://bugzilla.suse.com/show_bug.cgi?id=1227217 MISC:https://explore.alas.aws.amazon.com/CVE-2024-6409.html URL:https://explore.alas.aws.amazon.com/CVE-2024-6409.html MISC:https://github.com/openela-main/openssh/commit/c00da7741d42029e49047dd89e266d91dcfbffa0 URL:https://github.com/openela-main/openssh/commit/c00da7741d42029e49047dd89e266d91dcfbffa0 MISC:https://security-tracker.debian.org/tracker/CVE-2024-6409 URL:https://security-tracker.debian.org/tracker/CVE-2024-6409 MISC:https://security.netapp.com/advisory/ntap-20240712-0003/ URL:https://security.netapp.com/advisory/ntap-20240712-0003/ MISC:https://sig-security.rocky.page/issues/CVE-2024-6409/ URL:https://sig-security.rocky.page/issues/CVE-2024-6409/ MISC:https://ubuntu.com/security/CVE-2024-6409 URL:https://ubuntu.com/security/CVE-2024-6409 MISC:https://www.suse.com/security/cve/CVE-2024-6409.html URL:https://www.suse.com/security/cve/CVE-2024-6409.html
Assigning CNA
Red Hat, Inc.
Date Record Created
20240628	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20240628)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)

Use of the CVE® List and the associated references from this website are subject to the terms of use. CVE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 1999–2024, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation.