RHEL9: how to mitigate possible Denial of Service due to enabling mitigation for CVE-2024-6387
Environment
- Red Hat Enterprise Linux 9
- openssh-server
Issue
-
On RHEL9, applying the mitigation for CVE-2024-6387 makes the service vulnerable to Denial of Service as an attacker could still exhaust all the connections
LoginGraceTime 0 -
How can I ensure that unsuccessful login taking more than 120 seconds are disconnected automatically?
Resolution
The fix for CVE-2024-6387 has been released on July 3, 2024 as RHSA-2024:4312 - Security Advisory.
After applying the errata, don't forget to rollback the mitigation by setting LoginGraceTime 120 back to defaults (or your own value).
Workaround if the errata cannot be applied
If installing the fix is not possible yet, install the mitigation and optionally a script running as a cron regularly may be used to automatically disconnect the connections that didn't authenticate for longer than 120 seconds.
-
Install the
close_non_finished_sshd_connections.shscript in attachment into/usr/local/libexecdirectory# cp close_non_finished_sshd_connections.sh /usr/local/libexec # chmod +x /usr/local/libexec/close_non_finished_sshd_connections.sh # restorecon -Fv /usr/local/libexec/close_non_finished_sshd_connections.shThe single argument to the script is the timeout for non-authenticated connections. The default is 120 seconds.
The script checks if the ssh handlers for incoming connection are either in[accept]state orunknownstate (which means the user didn't authenticate yet).
If the process got started before current time minus the timeout, this likely means no authentication was ever performed. -
Create a cron or systemd timer unit executing the script periodically
Example for running as a cron every 2 minutes:
# tail -f /etc/crontab */2 * * * * root /usr/local/libexec/close_non_finished_sshd_connections.sh
Root Cause
Because LoginGraceTime 0 is used for mitigation, connections that didn't authenticated will remain active, which can potentially lead to resource exhaustion.
Attachments
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments