Signal Handler Race Condition

Summary

A Signal Handler Race Condition vulnerability was found in OpenSSH's server (sshd) in Red Hat Enterprise Linux 9, where a client does not authenticate within "LoginGraceTime" seconds ("120" by default, "600" in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, "syslog()". This issue leaves it vulnerable to a signal handler race condition on the "cleanup_exit()" function, which introduces the same vulnerability as CVE-2024-6387 in the unprivileged child of the SSHD server. As a consequence of a successful attack, in the worst case scenario, the attacker may be able to perform a remote code execution (RCE) on an unprivileged user running the "sshd" server. This vulnerability affects openssh-portable package versions 8.7p1 and 8.8p1. Note: This vulnerability affects only the "sshd" server shipped with Red Hat Enterprise Linux 9, while upstream versions of "sshd" are not impact by this flaw.