www.cve.org
Open in
urlscan Pro
18.245.60.66
Public Scan
URL:
https://www.cve.org/CVERecord?id=CVE-2024-6387
Submission: On July 01 via api from OM — Scanned from DE
Submission: On July 01 via api from OM — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
We're sorry but the CVE Website doesn't work properly without JavaScript enabled. Please enable it to continue. Skip to main content About OverviewHistoryProcessRelated EffortsMetrics Partner Information PartnerList of Partners Program Organization StructureProgram Relationship with PartnersBoardWorking GroupsCVE Numbering AuthoritiesAuthorized Data Publishers Downloads Resources & Support ResourcesGlossaryFAQs AllRecentArchivesNewsletter Sign-Up Reserve IDs & Publish RecordsCVE Services Report/Request CNAsNon-CNAs Site Search Find Find CVE Records by keyword on cve.mitre.org. Site Search CVE-2024-6387 PUBLISHED View JSON | User Guide information CVE Record vulnerability information is now being enriched by CNAs and ADPs collapse * CNA Assigner: Red Hat, Inc. Published: 2024-07-01 Updated: 2024-07-01 Title: Openssh: possible remote code execution due to a race condition in signal handling DESCRIPTION A signal handler race condition was found in OpenSSH's server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). CWE Learn more * CWE-364: Signal Handler Race Condition CVSS Learn more ScoreSeverityVersionVector String8.1HIGH3.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H PRODUCT STATUS Learn more Vendor Red Hat Product Red Hat Enterprise Linux 6 Versions Default Status: All versions are unaffected Vendor Red Hat Product Red Hat Enterprise Linux 7 Versions Default Status: All versions are unaffected Vendor Red Hat Product Red Hat Enterprise Linux 8 Versions Default Status: All versions are unaffected Vendor Red Hat Product Red Hat Enterprise Linux 9 Versions Default Status: All versions are affected REFERENCES * http://www.openwall.com/lists/oss-security/2024/07/01/12 external site * https://access.redhat.com/security/cve/CVE-2024-6387 external site vdb-entry * bugzilla.redhat.com: RHBZ#2294604 external site issue-tracking * https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt external site * https://github.com/zgzhang/cve-2024-6387-poc external site * https://ubuntu.com/security/CVE-2024-6387 external site * https://ubuntu.com/security/notices/USN-6859-1 external site * https://www.suse.com/security/cve/CVE-2024-6387.html external site * https://explore.alas.aws.amazon.com/CVE-2024-6387.html external site * https://archlinux.org/news/the-sshd-service-needs-to-be-restarted-after-upgrading-to-openssh-98p1/ external site * https://www.openssh.com/txt/release-9.8 external site * https://lists.mindrot.org/pipermail/openssh-unix-announce/2024-July/000158.html external site * https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-July/041431.html external site * https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server external site * https://www.theregister.com/2024/07/01/regresshion_openssh/ external site * https://news.ycombinator.com/item?id=40843778 external site * https://security-tracker.debian.org/tracker/CVE-2024-6387 external site * https://github.com/oracle/oracle-linux/issues/149 external site * https://github.com/rapier1/hpn-ssh/issues/87 external site View additional information about CVE-2024-6387 external site on NVD. (Note: The NVD is not operated by the CVE Program) POLICIES & COOKIES * Terms of Use * Website Security Policy * Privacy Policy * Cookie Notice * Manage Cookies MEDIA * News * Blogs * Podcasts * Email newsletter sign up SOCIAL MEDIA github linkedin mastodon youtube medium x-twitter icon for @CVEnew New CVE Records x-twitter icon for @CVEannounce CVE Announce CONTACT * CVE Program Support external site * CNA Partners * CVE Website Support external site * CVE Program Idea Tracker external site Use of the CVE® List and the associated references from this website are subject to the terms of use. CVE is sponsored by the U.S. Department of Homeland Security (DHS) external link Cybersecurity and Infrastructure Security Agency (CISA) external link . Copyright © 1999-2024, The MITRE Corporation external link . CVE and the CVE logo are registered trademarks of The MITRE Corporation.