Introduction
OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access and SFTP.
In affected versions of OpenSSH, with default sshd config, a race condition exists that a determined attacker may be able to exploit to allow an unauthenticated remote code execution as root. Race condition vulnerabilities are vulnerabilities where the undefined behaviour and thus possible exploitation is only possible if the code of the vulnerable application is triggered in (a) certain sequence(s), which depends on getting the timing of the triggers just right.
Impact
So far exploitation has only been demonstrated under lab conditions with a tailored exploit on 32-bit systems, which takes 6 – 8 hours on average of continuous connections up to the maximum the server will accept, which is 100 with the default sshd config. Exploiting 64-bit under lab conditions is believed to be possible but harder (because of ASLR). Since exploiting a race condition is dependent on timing, exploiting a system over the internet is harder than under lab conditions because of the variability the internet introduces in network packet delivery. Additionally the exploit needs to be adjusted and tuned depending on the network and system.
From this we can conclude that exploitation requires a determined attacker and a lot of time (more than 8 hours for 64-bit systems, likely a lot more). The exploitation attempt would become visible in monitoring by the high number of concurrent connections or availability issues of ssh.
Affected Versions
From 8.5p1 up to and including 9.7p1
Fixed version: 9.8p1
Not affected: OpenSSH packages of Ubuntu 24.04 and OpenBSD
Remediation
– Upgrade to OpenSSH 9.8p1
– Upgrade to a patched OpenSSH version distributed by your distro, Ubuntu and Debian have released them
– If sshd cannot be updated, this race condition can be mitigated by setting LoginGraceTime to 0 in /etc/ssh/sshd_config and restarting sshd. This makes sshd vulnerable to a denial of service (the exhaustion of all MaxStartups connections), but makes it safe from the remote code execution presented in this advisory.