Synology Security Advisory-24:08 regreSSHion
None products are affected by CVE-2024-6387 as this vulnerability only affect OpenSSH versions before 4.4p1 and after 8.5p1.
This is a Press Release edited by StorageNewsletter.com on July 19, 2024 at 2:01 pmSynology, Inc. had published a security advisory concerning OpenSSH.
Publish Time: 2024-07-02 14:25:22 UTC+8
Last Updated: 2024-07-02 14:25:22 UTC+8
Severity: Not affected
Status: Resolved
Abstract
None of Synology’s products are affected by CVE-2024-6387 as this vulnerability only affect OpenSSH versions before 4.4p1 and after 8.5p1.
Affected products
Product |
Severity |
Fixed release availability |
---|---|---|
DSM 7.2 |
Not affected |
N/A |
DSM 7.1 |
Not affected |
N/A |
DSM 6.2 |
Not affected |
N/A |
DSMUC 3.1 |
Not affected |
N/A |
SRM 1.3 |
Not affected |
N/A |
BC500 |
Not affected |
N/A |
TC500 |
Not affected |
N/A |
VS600HD |
Not affected |
N/A |
Mitigation: None
Detail
- CVE-2024-6387
- Severity: Not affected
- CVSS3 Base Score: 0.0
- CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N
- A signal handler race condition was found in OpenSSH’s server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd’s SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog().
Reference: CVE-2024-6387
Revision
Revision |
Date |
Description |
---|---|---|
1 |
2024-07-02 |
Initial public release. |