A signal handler race condition vulnerability was discovered in OpenSSH server (sshd) affecting its default configuration. If an SSH client fails to authenticate within the
LoginGraceTimeperiod (120 seconds by default), then the SIGALRM (signal alarm) handler is called asynchronously, but some of the functions that it calls are not async-signal-safe, includingsyslog(). In glibc-based Linux distros, under certain conditionssyslog()calls the async-signal-unsafe functionsmalloc()andfree(). If a call to either of these is interrupted by code that also calls a heap-related function, this could lead to heap corruption, which can be abused by arranging the heap in a way that leads to arbitrary code execution, running with sshd’s root privileges.
Why immediate panic might not be warranted:
As of July 1st, 2024, no exploitation of this vulnerability has been identified in the wild. The vulnerability has only been proven as exploitable under lab conditions on 32-bit Linux/glibc systems (with ASLR). Exploitation on 64-bit systems has not been proven but is believed to be possible.
A basic proof of concept was published on GitHub. Because of the exploitation’s extensive time requirements we couldn’t yet verify the effectiveness of this code, but our analysis indicates this to be a legitimate exploitation of the vulnerability as described by Qualys researchers.
I haven’t come across a 32-bit system in a very long time, especially on the server side. Nevertheless, it’s a good idea to update. See also: The original Qualys report.