Race condition in sshd(8)
A critical vulnerability in sshd(8) was present in Portable OpenSSH versions 8.5p1 and 9.7p1 (inclusive) that may allow arbitrary code execution with root privileges.
https://www.openssh.com/releasenotes.html
Qualys Security Advisory: https://www.mail-archive.com/[email protected]/msg00235.html
Mitigation: set
Fixing commit: https://github.com/openssh/openssh-portable/commit/81c1099d22b81ebfd20a334ce986c4f753b0db29
Because this fix is part of a large commit (81c1099), on top of an even larger defense-in-depth commit (03e3de4, "Start the process of splitting sshd into separate binaries"), it might prove difficult to backport. In that case, the signal handler race condition itself can be fixed by removing or commenting out the async-signal-unsafe code from the sshsigdie() function; for example:
A critical vulnerability in sshd(8) was present in Portable OpenSSH versions 8.5p1 and 9.7p1 (inclusive) that may allow arbitrary code execution with root privileges.
https://www.openssh.com/releasenotes.html
Qualys Security Advisory: https://www.mail-archive.com/[email protected]/msg00235.html
Mitigation: set
LoginGraceTime=0 in sshd_configFixing commit: https://github.com/openssh/openssh-portable/commit/81c1099d22b81ebfd20a334ce986c4f753b0db29
Because this fix is part of a large commit (81c1099), on top of an even larger defense-in-depth commit (03e3de4, "Start the process of splitting sshd into separate binaries"), it might prove difficult to backport. In that case, the signal handler race condition itself can be fixed by removing or commenting out the async-signal-unsafe code from the sshsigdie() function; for example:
sshsigdie(const char *file, const char *func, int line, int showfunc,
LogLevel level, const char *suffix, const char *fmt, ...)
{
+#if 0
va_list args;
va_start(args, fmt);
sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
suffix, fmt, args);
va_end(args);
+#endif
_exit(1);
}