FreeBSD issues critical update to patch OpenSSH vulnerability

The FreeBSD Project has released a security update to fix a high-severity flaw in OpenSSH, tracked as CVE-2024-7589, which could allow remote attackers to execute code with elevated privileges. The vulnerability, with a CVSS score of 7.4, arises from a signal handler in sshd(8) that calls a non-async-signal-safe logging function when a client fails to authenticate within the LoginGraceTime period.

This issue, related to the recent vulnerability CVE-2024-6387 called "regreSSHion", is linked to the integration of blacklistd in OpenSSH on FreeBSD. It creates a race condition that could enable remote code execution as root.

Users are urged to update and restart sshd immediately. If updating isn't possible, setting LoginGraceTime to 0 in sshd_config can prevent exploitation, though it may increase the risk of denial-of-service attacks.