[Bug 2071815] Re: Investigate ASLR re-randomization being disabled for children
Nick Rosbrook
2071815 at bugs.launchpad.net
Fri Apr 18 19:28:17 UTC 2025
I have confirmed the fix using openssh 1:9.6p1-3ubuntu13.10 from noble-
proposed.
First, I reproduced the bug using the current version:
nr at six:~$ lxc launch ubuntu:noble noble
Launching noble
nr at six:~$ lxc exec noble bash
root at noble:~# cat > /etc/apt/sources.list.d/proposed.sources << EOF
Types: deb
URIs: http://us.archive.ubuntu.com/ubuntu/
Suites: noble-proposed
Components: main universe
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
> EOF
root at noble:~# apt update
Get:1 http://us.archive.ubuntu.com/ubuntu noble-proposed InRelease [265 kB]
Hit:2 http://archive.ubuntu.com/ubuntu noble InRelease
Get:3 http://archive.ubuntu.com/ubuntu noble-updates InRelease [126 kB]
Get:4 http://security.ubuntu.com/ubuntu noble-security InRelease [126 kB]
Get:5 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 Packages [243 kB]
Get:6 http://us.archive.ubuntu.com/ubuntu noble-proposed/main Translation-en [56.0 kB]
Get:7 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 Components [22.3 kB]
Get:8 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 c-n-f Metadata [2248 B]
Get:9 http://us.archive.ubuntu.com/ubuntu noble-proposed/universe amd64 Packages [470 kB]
Get:10 http://us.archive.ubuntu.com/ubuntu noble-proposed/universe Translation-en [60.2 kB]
Get:11 http://us.archive.ubuntu.com/ubuntu noble-proposed/universe amd64 Components [44.3 kB]
Get:12 http://us.archive.ubuntu.com/ubuntu noble-proposed/universe amd64 c-n-f Metadata [7448 B]
Get:13 http://archive.ubuntu.com/ubuntu noble-backports InRelease [126 kB]
Get:14 http://security.ubuntu.com/ubuntu noble-security/main amd64 Packages [748 kB]
Get:15 http://archive.ubuntu.com/ubuntu noble/universe amd64 Packages [15.0 MB]
Get:16 http://security.ubuntu.com/ubuntu noble-security/main Translation-en [143 kB]
Get:17 http://security.ubuntu.com/ubuntu noble-security/main amd64 Components [8956 B]
Get:18 http://security.ubuntu.com/ubuntu noble-security/universe amd64 Packages [830 kB]
Get:19 http://security.ubuntu.com/ubuntu noble-security/universe Translation-en [181 kB]
Get:20 http://security.ubuntu.com/ubuntu noble-security/universe amd64 Components [52.2 kB]
Get:21 http://security.ubuntu.com/ubuntu noble-security/universe amd64 c-n-f Metadata [17.0 kB]
Get:22 http://security.ubuntu.com/ubuntu noble-security/restricted amd64 Packages [859 kB]
Get:23 http://security.ubuntu.com/ubuntu noble-security/restricted Translation-en [175 kB]
Get:24 http://security.ubuntu.com/ubuntu noble-security/restricted amd64 Components [212 B]
Get:25 http://security.ubuntu.com/ubuntu noble-security/multiverse amd64 Packages [17.6 kB]
Get:26 http://security.ubuntu.com/ubuntu noble-security/multiverse Translation-en [3792 B]
Get:27 http://security.ubuntu.com/ubuntu noble-security/multiverse amd64 Components [208 B]
Get:28 http://security.ubuntu.com/ubuntu noble-security/multiverse amd64 c-n-f Metadata [380 B]
Get:29 http://archive.ubuntu.com/ubuntu noble/universe Translation-en [5982 kB]
Get:30 http://archive.ubuntu.com/ubuntu noble/universe amd64 Components [3871 kB]
Get:31 http://archive.ubuntu.com/ubuntu noble/universe amd64 c-n-f Metadata [301 kB]
Get:32 http://archive.ubuntu.com/ubuntu noble/multiverse amd64 Packages [269 kB]
Get:33 http://archive.ubuntu.com/ubuntu noble/multiverse Translation-en [118 kB]
Get:34 http://archive.ubuntu.com/ubuntu noble/multiverse amd64 Components [35.0 kB]
Get:35 http://archive.ubuntu.com/ubuntu noble/multiverse amd64 c-n-f Metadata [8328 B]
Get:36 http://archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages [1020 kB]
Get:37 http://archive.ubuntu.com/ubuntu noble-updates/main Translation-en [223 kB]
Get:38 http://archive.ubuntu.com/ubuntu noble-updates/main amd64 Components [151 kB]
Get:39 http://archive.ubuntu.com/ubuntu noble-updates/universe amd64 Packages [1056 kB]
Get:40 http://archive.ubuntu.com/ubuntu noble-updates/universe Translation-en [266 kB]
Get:41 http://archive.ubuntu.com/ubuntu noble-updates/universe amd64 Components [367 kB]
Get:42 http://archive.ubuntu.com/ubuntu noble-updates/universe amd64 c-n-f Metadata [26.0 kB]
Get:43 http://archive.ubuntu.com/ubuntu noble-updates/restricted amd64 Packages [951 kB]
Get:44 http://archive.ubuntu.com/ubuntu noble-updates/restricted Translation-en [195 kB]
Get:45 http://archive.ubuntu.com/ubuntu noble-updates/restricted amd64 Components [212 B]
Get:46 http://archive.ubuntu.com/ubuntu noble-updates/multiverse amd64 Packages [21.5 kB]
Get:47 http://archive.ubuntu.com/ubuntu noble-updates/multiverse Translation-en [4788 B]
Get:48 http://archive.ubuntu.com/ubuntu noble-updates/multiverse amd64 Components [940 B]
Get:49 http://archive.ubuntu.com/ubuntu noble-updates/multiverse amd64 c-n-f Metadata [592 B]
Get:50 http://archive.ubuntu.com/ubuntu noble-backports/main amd64 Packages [39.1 kB]
Get:51 http://archive.ubuntu.com/ubuntu noble-backports/main Translation-en [8676 B]
Get:52 http://archive.ubuntu.com/ubuntu noble-backports/main amd64 Components [7064 B]
Get:53 http://archive.ubuntu.com/ubuntu noble-backports/main amd64 c-n-f Metadata [272 B]
Get:54 http://archive.ubuntu.com/ubuntu noble-backports/universe amd64 Packages [27.1 kB]
Get:55 http://archive.ubuntu.com/ubuntu noble-backports/universe Translation-en [16.5 kB]
Get:56 http://archive.ubuntu.com/ubuntu noble-backports/universe amd64 Components [15.8 kB]
Get:57 http://archive.ubuntu.com/ubuntu noble-backports/universe amd64 c-n-f Metadata [1304 B]
Get:58 http://archive.ubuntu.com/ubuntu noble-backports/restricted amd64 Components [216 B]
Get:59 http://archive.ubuntu.com/ubuntu noble-backports/restricted amd64 c-n-f Metadata [116 B]
Get:60 http://archive.ubuntu.com/ubuntu noble-backports/multiverse amd64 Components [212 B]
Get:61 http://archive.ubuntu.com/ubuntu noble-backports/multiverse amd64 c-n-f Metadata [116 B]
Fetched 34.6 MB in 5s (6552 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
27 packages can be upgraded. Run 'apt list --upgradable' to see them.
root at noble:~# echo "LogLevel DEBUG" >> /etc/ssh/sshd_config.d/log-level.conf
root at noble:~# su - ubuntu
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
ubuntu at noble:~$ ssh-import-id enr0n
2025-04-18 19:18:00,520 INFO Authorized key ['3072', 'SHA256:VMGz6tsZ02V9ratWlExePp9LaOe2qIr7SiWLHP2aGrM', 'nr at six', '(RSA)']
2025-04-18 19:18:00,521 INFO [1] SSH keys [Authorized]
ubuntu at noble:~$
logout
>From another terminal, I connected to the container with:
$ ssh ubuntu at 10.19.111.127
Back in the container:
root at noble:~# systemctl status ssh
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/usr/lib/systemd/system/ssh.service; disabled; preset: enabled)
Active: active (running) since Fri 2025-04-18 19:18:38 UTC; 29s ago
TriggeredBy: ● ssh.socket
Docs: man:sshd(8)
man:sshd_config(5)
Process: 1054 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
Main PID: 1055 (sshd)
Tasks: 1 (limit: 18290)
Memory: 2.1M (peak: 3.1M)
CPU: 92ms
CGroup: /system.slice/ssh.service
└─1055 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"
Apr 18 19:18:47 noble sshd[1059]: debug1: do_pam_account: called
Apr 18 19:18:47 noble sshd[1059]: Accepted publickey for ubuntu from 10.19.111.1 port 38958 ssh2: RSA SHA256:VMGz6tsZ0>
Apr 18 19:18:47 noble sshd[1059]: debug1: monitor_child_preauth: user ubuntu authenticated by privileged process
Apr 18 19:18:47 noble sshd[1059]: debug1: auth_activate_options: setting new authentication options [preauth]
Apr 18 19:18:47 noble sshd[1059]: debug1: monitor_read_log: child log fd closed
Apr 18 19:18:47 noble sshd[1059]: debug1: PAM: establishing credentials
Apr 18 19:18:47 noble sshd[1059]: pam_unix(sshd:session): session opened for user ubuntu(uid=1000) by ubuntu(uid=0)
Apr 18 19:18:48 noble sshd[1059]: User child is on pid 1127
Apr 18 19:18:48 noble sshd[1059]: debug1: session_new: session 0
Apr 18 19:18:48 noble sshd[1059]: debug1: SELinux support disabled
root at noble:~# journalctl -t sshd -b --grep "rexec start"
-- No entries --
Then, I installed openssh-server from noble-proposed and tried again:
root at noble:~# apt install -t noble-proposed openssh-server -y
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
openssh-client openssh-sftp-server
Suggested packages:
keychain libpam-ssh monkeysphere ssh-askpass molly-guard
The following packages will be upgraded:
openssh-client openssh-server openssh-sftp-server
3 upgraded, 0 newly installed, 0 to remove and 50 not upgraded.
Need to get 1452 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 openssh-sftp-server amd64 1:9.6p1-3ubuntu13.10 [37.3 kB]
Get:2 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 openssh-server amd64 1:9.6p1-3ubuntu13.10 [509 kB]
Get:3 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 openssh-client amd64 1:9.6p1-3ubuntu13.10 [905 kB]
Fetched 1452 kB in 0s (6155 kB/s)
Preconfiguring packages ...
(Reading database ... 37222 files and directories currently installed.)
Preparing to unpack .../openssh-sftp-server_1%3a9.6p1-3ubuntu13.10_amd64.deb ...
Unpacking openssh-sftp-server (1:9.6p1-3ubuntu13.10) over (1:9.6p1-3ubuntu13.9) ...
Preparing to unpack .../openssh-server_1%3a9.6p1-3ubuntu13.10_amd64.deb ...
Unpacking openssh-server (1:9.6p1-3ubuntu13.10) over (1:9.6p1-3ubuntu13.9) ...
Preparing to unpack .../openssh-client_1%3a9.6p1-3ubuntu13.10_amd64.deb ...
Unpacking openssh-client (1:9.6p1-3ubuntu13.10) over (1:9.6p1-3ubuntu13.9) ...
Setting up openssh-client (1:9.6p1-3ubuntu13.10) ...
Setting up openssh-sftp-server (1:9.6p1-3ubuntu13.10) ...
Setting up openssh-server (1:9.6p1-3ubuntu13.10) ...
Processing triggers for man-db (2.12.0-4build2) ...
Processing triggers for ufw (0.36.2-6) ...
Scanning processes...
Scanning candidates...
No services need to be restarted.
No containers need to be restarted.
User sessions running outdated binaries:
ubuntu @ session #525: sshd[1059]
No VM guests are running outdated hypervisor (qemu) binaries on this host.
root at noble:~# systemctl stop ssh.service
Stopping 'ssh.service', but its triggering units are still active:
ssh.socket
>From another termainal:
$ ssh ubuntu at 10.19.111.127
And back in the container:
root at noble:~# journalctl -t sshd -b --grep "rexec start"
Apr 18 19:20:10 noble sshd[1577]: debug1: rexec start in 4 out 4 newsock 4 pipe 6 sock 7
** Tags removed: verification-needed verification-needed-noble
** Tags added: verification-done verification-done-noble
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2071815
Title:
Investigate ASLR re-randomization being disabled for children
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Noble:
Fix Committed
Bug description:
[Impact]
The systemd-socket-activation.patch patch has an Ubuntu delta to fix
bug 2011458, but this results in ASLR not being re-randomized for
children because the patch delta does "rexec_flag = 0;".
This was discovered as part of the CVE-2024-6387 discovery by Qualys,
and is mentioned in the disclosure itself:
Side note: we discovered that Ubuntu 24.04 does not re-randomize the
ASLR of its sshd children (it is randomized only once, at boot time); we
tracked this down to the patch below, which turns off sshd's rexec_flag.
This is generally a bad idea, but in the particular case of this signal
handler race condition, it prevents sshd from being exploitable: the
syslog() inside the SIGALRM handler does not call any of the malloc
functions, because it is never the very first call to syslog().
This is also mentioned in the release notes of OpenSSH 9.8:
Exploitation on non-glibc systems is conceivable but has not been
examined. Systems that lack ASLR or users of downstream Linux
distributions that have modified OpenSSH to disable per-connection
ASLR re-randomisation (yes - this is a thing, no - we don't
understand why) may potentially have an easier path to exploitation.
We should investigate why that was needed, and if an alternative way
of fixing the original bug can be done.
[Test Plan]
We just want to test that when a connection is accepted by sshd, the
child process re-execs. There is a log message at the debug level from
sshd when this happens.
1. Enable debug-level logging in sshd:
$ echo "LogLevel DEBUG" >> /etc/ssh/sshd_config.d/log-level.conf
2. Watch the logs:
$ journalctl -t sshd -b -f
3. From another host, connect to the test machine:
$ ssh <user>@<test host>
4. On the test machine, among other messages, there should be a
message noting the start of the re-exec, e.g.:
sshd[2212]: debug1: rexec start in 6 out 6 newsock 6 pipe 8 sock 9
[Where problems could occur]
Through the iterations of d/p/systemd-socket-activation.patch, there
have been issues related to the re-exec behavior, and how the listen
fds passed by systemd are handled. See [1][2] for examples. This patch
hopes to finally resolve these issues.
However, as was the case with previous bugs in this area, problems
would most likely be related to incorrectly closing, or not closing,
socket fds in sshd.
[1] https://bugs.launchpad.net/bugs/2020474
[2] https://bugs.launchpad.net/bugs/2011458
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2071815/+subscriptions
More information about the foundations-bugs
mailing list