Critical Race Condition in OpenSSH (CVE-2024-6409): Patch Urgently on AlmaLinux 9 and CentOS 9 Systems

A serious race condition vulnerability has been discovered in how OpenSSH’s server (sshd) handles signals, which affects systems running AlmaLinux 9 and CentOS 9. If a remote user initiates a connection but fails to authenticate within a certain timeout, the SIGALRM signal is triggered asynchronously. Critically, the signal handler makes calls to functions such as syslog(), which are not safe to use in this context. As a result, a successful exploit could allow remote code execution (RCE) by an unprivileged attacker — a significant threat to server security.
This issue affects hosts running OpenSSH version 8.7p1-43.el9, including those using CentOS Linux 9. The vulnerability, identified as CVE-2024-6409, is referenced in the OpenSSH build changelog. It’s important to note that security scanners like Nessus may not directly verify the flaw but instead report based on detected software versions.
What’s at Risk
OpenSSH is one of the most commonly used services on Linux servers for secure remote administration. A vulnerability in its core daemon (sshd) puts all remote access and automation systems at risk.
An example of an affected system shows the vulnerable package version installed:
[root@lshost4 ~]# rpm -qa | grep openssh-server
openssh-server-8.7p1-43.el9.alma.2.x86_64
Recommended Action
If you are running AlmaLinux 9, CentOS 9, or any derivative using OpenSSH version 8.7p1-43.el9, you should upgrade immediately to a secure version — openssh-8.7p1-45.el9 or newer.
Update Procedure
To check your installed OpenSSH version:
rpm -qa | grep openssh-server
To apply the update:
sudo dnf update openssh
After updating, restart the SSH service:
sudo systemctl restart sshd
Finally, confirm the new version:
rpm -qa | grep openssh-server
Additional Mitigation Tip: Review LoginGraceTime Setting
As a supplementary step, you can manually review your SSH configuration by running:
nano /etc/ssh/sshd_config
Inside the file, look for the line:
#LoginGraceTime 0
This directive controls how long the SSH daemon waits for a user to authenticate. Adjusting this setting can help reduce the attack surface by minimizing the allowed connection window for unauthenticated clients.
Servers Monitored by AvaHost
If your servers are under AvaHost monitoring, we have already identified affected systems. For example, the server lshost4.alexhost.com is running the vulnerable version and must be updated.
Conclusion
This vulnerability represents a real and present danger to unpatched systems. We strongly advise all administrators to verify and update their OpenSSH installation without delay. The risk of remote code execution cannot be overstated, especially on publicly accessible infrastructure.
For detailed technical information, refer to the official CVE entry:
🔗 CVE-2024-6409 – NIST
🔗 Nessus Report
Stay safe — keep your systems patched and monitored.