Archives: July 9, 2024

Syncplify Server! is also *NOT* vulnerable to CVE-2024-6409

Following up to our previous post in which we informed our user-base that Syncplify Server! is not affected by CVE-2028-6387, today we have the pleasure to share with you that Syncplify Server! is also completely unaffected by the newly discovered CVE-2024-6409.

CVE-2024-6409 is a signal handler race condition vulnerability in the OpenSSH server (sshd) that occurs when a client fails to authenticate within the LoginGraceTime, potentially leading to information disclosure, denial of service, or unauthorized access.

Syncplify Server!, by virtue of not being based on OpenSSH, does not have such vulnerability.

Syncplify Server! is *NOT* vulnerable to CVE-2024-6387

OpenSSH, a widely used secure shell-protocol handling software, has recently disclosed a critical vulnerability (CVE-2024-6387) affecting its server component. This flaw could potentially allow unauthenticated remote code execution with root privileges on glibc-based Linux systems. The vulnerability, present in OpenSSH versions 8.5p1 through 9.7p1, is a signal handler race condition that affects the default configuration of sshd.

Qualys researchers have identified over 14 million potentially vulnerable OpenSSH server instances exposed to the internet[1]. While exploitation requires continuous connections for 6-8 hours under lab conditions, the potential impact is severe, allowing full system compromise and takeover.

It’s important to note that Syncplify Server! is not affected by this vulnerability. Unlike many other SSH servers, Syncplify Server! is not based on OpenSSH in any way. This independent implementation ensures that Syncplify Server! users are protected from vulnerabilities specific to OpenSSH, including CVE-2024-6387.

For those using OpenSSH, it’s crucial to apply the latest patches promptly. Additionally, limiting SSH access through network-based controls and enforcing network segmentation can help mitigate potential risks.