Synology-SA-24:08 regreSSHion
Publish Time: 2024-07-02 14:25:22 UTC+8
Last Updated: 2024-07-02 14:25:22 UTC+8
- Severity
- Not affected
- Status
- Resolved
Abstract
None of Synology's products are affected by CVE-2024-6387 as this vulnerability only affect OpenSSH versions before 4.4p1 and after 8.5p1.
Affected Products
| Product | Severity | Fixed Release Availability |
|---|---|---|
| DSM 7.2 | Not affected | N/A |
| DSM 7.1 | Not affected | N/A |
| DSM 6.2 | Not affected | N/A |
| DSMUC 3.1 | Not affected | N/A |
| SRM 1.3 | Not affected | N/A |
| BC500 | Not affected | N/A |
| TC500 | Not affected | N/A |
| VS600HD | Not affected | N/A |
Mitigation
None
Detail
- CVE-2024-6387
- Severity: Not affected
- CVSS3 Base Score: 0.0
- CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N
- A signal handler race condition was found in OpenSSH's server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog().
Reference
Revision
| Revision | Date | Description |
|---|---|---|
| 1 | 2024-07-02 | Initial public release. |