[Bug 2071815] Re: Investigate ASLR re-randomization being disabled for children
Launchpad Bug Tracker
2071815 at bugs.launchpad.net
Thu Jul 25 20:59:35 UTC 2024
** Merge proposal linked:
https://code.launchpad.net/~enr0n/ubuntu/+source/openssh/+git/openssh/+merge/470124
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2071815
Title:
Investigate ASLR re-randomization being disabled for children
Status in openssh package in Ubuntu:
In Progress
Bug description:
The systemd-socket-activation.patch patch has an Ubuntu delta to fix
bug 2011458, but this results in ASLR not being re-randomized for
children because the patch delta does "rexec_flag = 0;".
This was discovered as part of the CVE-2024-6387 discovery by Qualys,
and is mentioned in the disclosure itself:
Side note: we discovered that Ubuntu 24.04 does not re-randomize the
ASLR of its sshd children (it is randomized only once, at boot time); we
tracked this down to the patch below, which turns off sshd's rexec_flag.
This is generally a bad idea, but in the particular case of this signal
handler race condition, it prevents sshd from being exploitable: the
syslog() inside the SIGALRM handler does not call any of the malloc
functions, because it is never the very first call to syslog().
This is also mentioned in the release notes of OpenSSH 9.8:
Exploitation on non-glibc systems is conceivable but has not been
examined. Systems that lack ASLR or users of downstream Linux
distributions that have modified OpenSSH to disable per-connection
ASLR re-randomisation (yes - this is a thing, no - we don't
understand why) may potentially have an easier path to exploitation.
We should investigate why that was needed, and if an alternative way
of fixing the original bug can be done.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2071815/+subscriptions
More information about the foundations-bugs
mailing list