Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    sshd CVE-2024-6387 vulnerability

    Scheduled Pinned Locked Moved General pfSense Questions
    15 Posts 6 Posters 4.2k Views 7 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S Offline
      stephenw10 Netgate Administrator
      last edited by

      Theoretically. See: https://www.freebsd.org/security/advisories/FreeBSD-SA-24:04.openssh.asc
      Workaround patch incoming.

      M JonathanLeeJ 2 Replies Last reply Reply Quote 2
      • M Offline
        marcg @stephenw10
        last edited by

        @stephenw10, thanks.

        1 Reply Last reply Reply Quote 0
        • JonathanLeeJ Offline
          JonathanLee @stephenw10
          last edited by

          @stephenw10

          Workaround

          If sshd(8) cannot be updated, this signal handler race condition can be
          mitigated by setting LoginGraceTime to 0 in /etc/ssh/sshd_config and
          restarting sshd(8). This makes sshd(8) vulnerable to a denial of service
          (the exhaustion of all MaxStartups connections), but makes it safe from the
          remote code execution presented in this advisory.

          Is this the recommendation for older versions of pfSense currently?

          Make sure to upvote

          1 Reply Last reply Reply Quote 1
          • stephenw10S Offline
            stephenw10 Netgate Administrator
            last edited by

            Yes, the patch will set that.

            S 1 Reply Last reply Reply Quote 1
            • S Offline
              slu @stephenw10
              last edited by

              And the patch is already there, good work Netgate!

              pfSense Gold subscription

              1 Reply Last reply Reply Quote 1
              • stephenw10S Offline
                stephenw10 Netgate Administrator
                last edited by

                See: https://forum.netgate.com/topic/189010/netgate-security-advisory-cve-2024-6387

                T 1 Reply Last reply Reply Quote 1
                • T Offline
                  tedquade @stephenw10
                  last edited by

                  @stephenw10 Will a fix for this be incorporated in the next 24.09-Development release?

                  Ted

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S Offline
                    stephenw10 Netgate Administrator
                    last edited by

                    Yes 24.08 will have an updated openssh version.

                    J 1 Reply Last reply Reply Quote 2
                    • JeGrJ JeGr referenced this topic on
                    • J Offline
                      jos-andel @stephenw10
                      last edited by

                      @stephenw10
                      How about the new CE 2.8.0 ? Is that alright as well ?

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S Offline
                        stephenw10 Netgate Administrator
                        last edited by

                        This post is deleted!
                        1 Reply Last reply Reply Quote 0
                        • stephenw10S Offline
                          stephenw10 Netgate Administrator
                          last edited by

                          2.8.0 has the patched code: https://github.com/pfsense/FreeBSD-src/commit/2abea9df01655633aabbb9bf3204c90722001202

                          1 Reply Last reply Reply Quote 1
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.