CVE-2024-6387 - regreSSHion

Hello,

This morning a report was published for a new CVE related to sshd:

Looks like ssh versions 8.5p1 up to, but not including, 9.8p1 are affected which is included in Alma Linux 9.x.

Here’s the tech advisory:
https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt

It’s early yet but I wanted to make the community aware as we will need to update our systems as soon as a fix is released.

Fix is released.

2 Likes

Awesome, thanks for the quick turnaround on this!

I followed this article and repaired it in both AlmaLinux 9.3 and 9.4. However, the name AlmaLinux 9.3 was looking for when updating was only openssh-8.7p1-38.el9.x86_64, while the name AlmaLinux 9.4 was looking for was openssh-8.7p1-38. .el9.alma.1.x86_64
They are all different from the openssh-8.7p1-38.el9.alma.2 mentioned in the article. Was the repair I made successful?

the .alma.2 package should definitely be on all mirrors now.

Try dnf clean all prior to trying another dnf update openssh.

@travity I hope I didn’t give the impression that I made the fix. I was just posting the announcement from AlmaLinux

Any word on when the Errata will come out? Without this dnf doesn’t see it as a security update, for example “dnf updateinfo --refresh --security --list” doesn’t list it.

The version and wording in the links are confusing to check if the fixed version is present.

From the blog post (AlmaLinux OS - Forever-Free Enterprise-Grade Operating System) we get these instructions:

Update the openssh package to protect your system against this issue:

sudo dnf --refresh upgrade openssh

Confirm the updated version. You are looking for openssh-8.7p1-38.el9.alma.2.

rpm -q openssh

That last command gives this output on my AlmaLinux install:
openssh-8.7p1-38.el9_4.1.x86_64

So it’s not openssh-8.7p1-38.el9.alma.2, so I need an update.

On the Errata page (ALSA-2024:4312) it says under Updated packages listed below:
x86_64 — openssh-8.7p1-38.el9_4.1.x86_64.rpm

So according to this I do have the fixed version. But when I check with ssh -V I get the following output:
OpenSSH_8.7p1, OpenSSL 3.0.7 1 Nov 2022
So it’s an old version.

This is confusing. In the end I found what version was installed with dnf history and dnf history info xxx but I suggest the Blogpost be adjusted to mention to not look for “alma.2” with the rpm -q openssh command if it doesn’t yield the correct results.

I’m quite sure that el9_4.1 was released after the el9.alma.2

What does rpm -q --changelog openssh | head -20 tell now that you have the el9_4.1 installed?

Thanks @jlehtone , that might explain the confusion, though it might be advisable to add which normal version number would also contain the fix.

This is the output from said command:

Mon Jul 08 2024 Andrew Lukoshko - 8.7p1-38.1.alma.1

  • Possible remote code execution in privsep child due to a race condition
  • Resolves: CVE-2024-6409

Fri Jun 28 2024 Dmitry Belyavskiy - 8.7p1-38.1

  • Possible remote code execution due to a race condition (CVE-2024-6387)
  • Resolves: RHEL-45347

Fri Jan 05 2024 Dmitry Belyavskiy - 8.7p1-38

  • Fix Terrapin attack
  • Resolves: CVE-2023-48795

Fri Jan 05 2024 Dmitry Belyavskiy - 8.7p1-37

  • Fix Terrapin attack
  • Resolves: CVE-2023-48795

Wed Dec 20 2023 Dmitry Belyavskiy - 8.7p1-36

  • Fix Terrapin attack
  • Resolves: CVE-2023-48795
  • Relax OpenSSH build-time checks for OpenSSL version

Lets look at the history of package openssh in one of my machines:

dnf history info openssh | grep -E '(Upgrade |Install) openssh-8' | awk -v X=9 '{--X; printf( "#%d:\t%s\n", X, $2)}'
#8:	openssh-8.7p1-38.el9_4.1.alma.1.x86_64
#7:	openssh-8.7p1-38.el9_4.1.x86_64
#6:	openssh-8.7p1-38.el9.alma.2.x86_64
#5:	openssh-8.7p1-38.el9.x86_64
#4:	openssh-8.7p1-34.el9_3.3.x86_64
#3:	openssh-8.7p1-30.el9_2.x86_64
#2:	openssh-8.7p1-29.el9_2.x86_64
#1:	openssh-8.7p1-24.el9_1.x86_64

It looks like I have installed AlmaLinux 9.1, because the oldest version was 8.7p1-24.el9_1
Two versions have clearly targeted AlmaLinux 9.2 and one 9.3.

The 8.7p1-38.el9 was released for AlmaLinux 9.4. RHEL 9.4 had that same version.
The 8.7p1-38.el9.alma.2 was basically 8.7p1-38.el9 with only for Alma security patch.
The alma.2 is the hint that this is by Alma and not from Red Hat.

The 8.7p1-38.el9_4.1 was what was released for RHEL 9.4 by Red Hat. Its latest changelog entry was:

* Fri Jun 28 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-38.1
- Possible remote code execution due to a race condition (CVE-2024-6387)
  Resolves: RHEL-45347

Basically the same change from 8.7p1-38.el9 as was in 8.7p1-38.el9.alma.2.
The el9_4.1 is a hint from Red Hat that this version was released for RHEL 9.4 and is from maintenance branch of RHEL 9.4, rather than from development branch of RHEL 9.
The RHEL 9.5 will probably get a “8.7p-N.el9” (where N >= 38).


The 8.7p1-38.el9_4.1.alma.1 is based on the 8.7p1-38.el9_4.1 and has a patch for CVE-2024-6409 added by Alma (as denoted by the alma.1 suffix).
It is quite possible that Red Hat will soon release something like 8.7p1-38.el9_4.2 for RHEL 9.4.