Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <67430275-b84d-462e-ab74-5a756c6d068f@mindrot.org>
Date: Tue, 9 Jul 2024 09:52:58 +1000 (AEST)
From: Damien Miller <djm@...drot.org>
To: oss-security@...ts.openwall.com
cc: Qualys Security Advisory <qsa@...lys.com>
Subject: Re: CVE-2024-6387: RCE in OpenSSH's server, on
 glibc-based Linux systems

On Mon, 8 Jul 2024, Solar Designer wrote:

> Hi,
> 
> Today is the coordinated release date to publicly disclose a related
> issue I found during review of Qualys' findings, with further analysis
> by Qualys.  My summary is:
> 
> CVE-2024-6409: OpenSSH: Possible remote code execution in privsep child
> due to a race condition in signal handling

As an aside, who wrote the text of
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6409 ?

It's disappointing that this CVE states that this is a vulnerability
in OpenSSH sshd, and fails to make clear that this only affects Redhat
versions and users of their downstream patch.

This follows another critical failure to properly issue CVEs for OpenSSH:
CVE-2024-6387 only lists CPEs for Redhat systems as affected (see the
JSON dump of the entry: https://cveawg.mitre.org/api/cve/CVE-2024-6387 )

This means that anyone using automation that consumes CVEs for detecting
vulnerabilities will be left exposed.

Moreover, the explanatory text for CVE-2024-6387 is also extremely lacking.
It fails to explain the consequence of the vulnerability (unauth RCE) and
just talks about mechanism.

I don't know if it's in anyone on this list's ability to get these
fixed, but IMO they are serious failures of the CVE process that make
it near-useless for consumers of this information.

-d

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.