Signal handler race in OpenSSH sshd allows pre-auth RCE on glibc Linux

Summary

OpenSSH’s sshd invokes syslog() from a SIGALRM handler when a client fails to complete authentication within LoginGraceTime (default 120s). syslog() is not async-signal-safe; on glibc, it calls into malloc and free, which can deadlock or corrupt heap state if interrupted. Sending the right sequence of bytes during the key-exchange phase causes the alarm to fire while the heap is in an exploitable state, ultimately yielding arbitrary code execution as root.

The vulnerability is a regression: the same logic flaw was tracked as CVE-2006-5051, fixed in OpenSSH 4.4p1 in 2006, and re-introduced in OpenSSH 8.5p1 (2021-03-03) when the #ifdef DO_LOG_SAFE_IN_SIGHAND guard was removed during cleanup.

OpenBSD’s sshd is unaffected because OpenBSD’s syslog_r is signal-safe. musl-based systems (Alpine Linux) are not affected for the same reason.

Affected versions

Vulnerable on glibc-based Linux

OpenSSH 8.5p1 through 9.7p1 (inclusive)

OpenSSH versions earlier than 4.4p1 without the CVE-2006-5051 backport

Not affected

OpenSSH 4.4p1 through 8.4p1 (inclusive)

OpenSSH 9.8p1 and later

OpenBSD sshd

musl-based Linux distributions (Alpine)

Technical detail

sshd’s pre-authentication grace timer fires SIGALRM after LoginGraceTime elapses. Inside the handler, sigdie() calls syslog(), which in glibc takes a global lock and may allocate memory via __vsyslog_internal → __find_specmb → malloc.

If the alarm fires while the parent thread is already inside an allocator critical section — for instance, during the TLS handshake’s parsing of attacker-controlled SSH2_MSG_KEXINIT data — heap metadata becomes corruptible. Qualys’s proof-of-concept demonstrates the corruption can be shaped into a function-pointer overwrite that delivers control to attacker- supplied shellcode at the next free().

Reliable exploitation in Qualys’s lab took 6–8 hours of repeated connection attempts against an i386 32-bit sshd with ASLR. Against modern 64-bit hardened builds, the success rate is meaningfully lower but not zero.

Impact

An unauthenticated, network-adjacent attacker can execute arbitrary code as root on a vulnerable sshd. Successful exploitation is timing-sensitive and noisy — many failed connection attempts will appear in logs — but is demonstrably reachable within hours from a single source.

The risk is highest on internet-facing bastion hosts and jump servers where sshd is the primary attack surface and where intermediate firewalls do not rate-limit connection establishment.

Mitigation

1. Patch to OpenSSH 9.8p1 or later. Distribution backports are available for actively-supported lines.
2. As a configuration mitigation, set LoginGraceTime 0 in sshd_config. This disables the alarm entirely; failed login attempts then occupy a slot until the connection is closed by the client. Combine with MaxStartups tuning to limit pre-auth concurrency.
3. Restrict sshd exposure via firewall, VPN, or IP allowlist. Public internet exposure of sshd should be considered a configuration choice, not a default.
4. Tune SSH connection rate-limits at the network edge. The exploit’s timing dependency makes it slow to land; a strict per-source rate-limit significantly raises the cost.

Detection

Failed connection rates well above baseline against sshd, particularly at the KEX_INIT stage, are the load-bearing detection. Sustained pre-authentication aborts from a single source over hours warrant investigation.

title: SSHD pre-auth connection storm consistent with CVE-2024-6387
id: 5fd0c1f2-6f5b-4aef-8b6f-04fb7b3a3e9e
status: experimental
description: >-
  Detects bursts of pre-authentication SSH disconnects from a single source
  IP, characteristic of regreSSHion exploitation attempts.
logsource:
  product: linux
  service: sshd
detection:
  selection:
    EventID: 'Disconnected'
    State: 'preauth'
  timeframe: 1h
  condition: count(by source_ip) > 3000
falsepositives:
  - Aggressive SSH brute-force scanners
  - Misconfigured monitoring with rapid reconnect loops
level: medium

Timeline

Date	Event
2006-09	Original signal-handler race fixed in OpenSSH 4.4p1 (CVE-2006-5051).
2021-03-03	OpenSSH 8.5p1 released; regression introduced.
2024-05-01	Qualys TRU privately reports the regression to OpenSSH.
2024-07-01	Coordinated public disclosure; OpenSSH 9.8p1 released the same day.
2024-07-08	Major distribution backports complete.

Acknowledgements

Disclosure and proof-of-concept by the Qualys Threat Research Unit. Patch authored by Damien Miller of the OpenSSH project.

References

1. https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt — Qualys TRU advisory and exploitation writeup
2. https://www.openssh.com/txt/release-9.8 — OpenSSH 9.8 release notes
3. https://nvd.nist.gov/vuln/detail/CVE-2024-6387 — NIST NVD entry
4. https://nvd.nist.gov/vuln/detail/CVE-2006-5051 — original 2006 race condition this regression mirrors