Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    sshd CVE-2024-6387 vulnerability

    Scheduled Pinned Locked Moved General pfSense Questions
    15 Posts 6 Posters 4.2k Views 7 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      marcg @stephenw10
      last edited by

      @stephenw10, thanks.

      1 Reply Last reply Reply Quote 0
      • JonathanLeeJ Offline
        JonathanLee @stephenw10
        last edited by

        @stephenw10

        Workaround

        If sshd(8) cannot be updated, this signal handler race condition can be
        mitigated by setting LoginGraceTime to 0 in /etc/ssh/sshd_config and
        restarting sshd(8). This makes sshd(8) vulnerable to a denial of service
        (the exhaustion of all MaxStartups connections), but makes it safe from the
        remote code execution presented in this advisory.

        Is this the recommendation for older versions of pfSense currently?

        Make sure to upvote

        1 Reply Last reply Reply Quote 1
        • stephenw10S Offline
          stephenw10 Netgate Administrator
          last edited by

          Yes, the patch will set that.

          S 1 Reply Last reply Reply Quote 1
          • S Offline
            slu @stephenw10
            last edited by

            And the patch is already there, good work Netgate!

            pfSense Gold subscription

            1 Reply Last reply Reply Quote 1
            • stephenw10S Offline
              stephenw10 Netgate Administrator
              last edited by

              See: https://forum.netgate.com/topic/189010/netgate-security-advisory-cve-2024-6387

              T 1 Reply Last reply Reply Quote 1
              • T Offline
                tedquade @stephenw10
                last edited by

                @stephenw10 Will a fix for this be incorporated in the next 24.09-Development release?

                Ted

                1 Reply Last reply Reply Quote 0
                • stephenw10S Offline
                  stephenw10 Netgate Administrator
                  last edited by

                  Yes 24.08 will have an updated openssh version.

                  J 1 Reply Last reply Reply Quote 2
                  • JeGrJ JeGr referenced this topic on
                  • J Offline
                    jos-andel @stephenw10
                    last edited by

                    @stephenw10
                    How about the new CE 2.8.0 ? Is that alright as well ?

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S Offline
                      stephenw10 Netgate Administrator
                      last edited by

                      This post is deleted!
                      1 Reply Last reply Reply Quote 0
                      • stephenw10S Offline
                        stephenw10 Netgate Administrator
                        last edited by

                        2.8.0 has the patched code: https://github.com/pfsense/FreeBSD-src/commit/2abea9df01655633aabbb9bf3204c90722001202

                        1 Reply Last reply Reply Quote 1
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.