A serious race condition vulnerability has been discovered in how OpenSSH’s server (sshd) handles signals, which affects systems running AlmaLinux 9 and CentOS 9. If a remote user initiates a connection but fails to authenticate within a certain timeout, the SIGALRM signal is triggered asynchronously. Critically, the signal handler makes calls to functions such as syslog(), which are not safe to use in this context. As a result, a successful exploit could allow remote code execution (RCE) by an unprivileged attacker — a significant threat to server security.

This issue affects hosts running OpenSSH version 8.7p1-43.el9, including those using CentOS Linux 9. The vulnerability, identified as CVE-2024-6409, is referenced in the OpenSSH build changelog. It’s important to note that security scanners like Nessus may not directly verify the flaw but instead report based on detected software versions.

What’s at Risk

OpenSSH is one of the most commonly used services on Linux servers for secure remote administration. A vulnerability in its core daemon (sshd) puts all remote access and automation systems at risk.

An example of an affected system shows the vulnerable package version installed:

[root@lshost4 ~]# rpm -qa | grep openssh-server
openssh-server-8.7p1-43.el9.alma.2.x86_64

Recommended Action

If you are running AlmaLinux 9, CentOS 9, or any derivative using OpenSSH version 8.7p1-43.el9, you should upgrade immediately to a secure version — openssh-8.7p1-45.el9 or newer.

Update Procedure

To check your installed OpenSSH version:

rpm -qa | grep openssh-server

To apply the update:

sudo dnf update openssh

After updating, restart the SSH service:

sudo systemctl restart sshd

Finally, confirm the new version:

rpm -qa | grep openssh-server

Additional Mitigation Tip: Review LoginGraceTime Setting

As a supplementary step, you can manually review your SSH configuration by running:

nano /etc/ssh/sshd_config

Inside the file, look for the line:

#LoginGraceTime 0

This directive controls how long the SSH daemon waits for a user to authenticate. Adjusting this setting can help reduce the attack surface by minimizing the allowed connection window for unauthenticated clients.

Servers Monitored by AvaHost

If your servers are under AvaHost monitoring, we have already identified affected systems. For example, the server lshost4.alexhost.com is running the vulnerable version and must be updated.

Conclusion

This vulnerability represents a real and present danger to unpatched systems. We strongly advise all administrators to verify and update their OpenSSH installation without delay. The risk of remote code execution cannot be overstated, especially on publicly accessible infrastructure.

For detailed technical information, refer to the official CVE entry:
🔗 CVE-2024-6409 – NIST
🔗 Nessus Report

Stay safe — keep your systems patched and monitored.