CVE-2024-6387 — 神龙十问 AI 深度分析摘要

- **Essence**: Signal handler **race condition** in OpenSSH's `sshd` 🚨 - In **SIGALRM** handler, unsafe funcs are called ⚠️ - **Consequences**: - 🎯 Remote code execution (RCE) - 🔓 Gain **root** control - …

- **Root Cause**: Race condition in signal handling 🚨 - **CWE Idea**: Improper synchronization - Calls **async-signal-unsafe** functions in `SIGALRM` ❌ - Triggers undefined behavior → exploitable state 🧨

- **Affected Component**: OpenSSH server (`sshd`) 🖥️ - **Versions**: `8.5p1` ➡️ `9.8p1` 📌 - **Platform**: glibc-based Linux systems 🐧

- 🔓 **Privilege**: Full **root** access - 💾 **Data**: Full system compromise - 🕹️ Can execute **arbitrary code** remotely - 🚪 Full control over target machine

- **Threshold**: ✅ Low - 🚫 **No auth** required - 🌐 Network reachable = exploitable - ⚙️ Default config also at risk

- ✅ **Public PoCs** exist 🔍 - Multiple GitHub repos with exploits 🧪 - e.g. `zgzhang`, `acrono`, `lflare`, `shyrwall` - 🚨 Potential **wild exploitation** risk

- 🔧 Use scanner tools like: - `CVE-2024-6387_Check` 🛠️ - Scans IPs / domains / CIDRs 🌍 - Gets SSH banner 📜 - Detects `LoginGraceTime` settings ⏱️ - IPv6 supported 🌐 - 💡 Run script ➡️ check v…

- ✅ **Official fix released** 🛡️ - Fixed in **OpenSSH 9.8p1** 📦 - See release notes: https://www.openssh.com/txt/release-9.8 - Vendors (e.g. Red Hat) issued advisories 📄

- 🚧 **Workaround** if no patch: - Set `LoginGraceTime` to `0` in sshd_config ⏳ - Mitigates via faster timeout - 🔐 Disable SSH password login (key-only) - 🧱 Restrict SSH access via firewall / fail2ban

- 🚨 **Urgent** – Critical priority 🔥 - CVSS: `8.1` → HIGH 💥 - RCE + **no auth** + public PoC = 💣 - Patch **immediately** or apply workaround ⚡ - 🧨 Risk of full system takeover