Statseeker version 25.2 and OpenSSH
Many security scanners will still tag the version of Open SSH in Statseeker version 25.2 as having a vulnerability, but they are just looking at the version of OpenSSH. The vulnerability applies to 32-bit Linux, not to 64-bit FreeBSD, a UNIX variant. Linux uses glibc libraries, that allow the race condition causing the issue, but FreeBSD has its own C libraires. We’ve been on 64-bit versions for quite a while and are safe.
From the OpenSSH change log
1) Race condition in sshd(8) (bsc#1226642, CVE-2024-6387).
A critical vulnerability in sshd(8) was present in Portable
OpenSSH versions between 8.5p1 and 9.7p1 (inclusive) that may
allow arbitrary code execution with root privileges.
Successful exploitation has been demonstrated on 32-bit
Linux/glibc systems with ASLR. Under lab conditions, the attack
requires on average 6-8 hours of continuous connections up to
the maximum the server will accept. Exploitation on 64-bit
systems is believed to be possible but has not been
demonstrated at this time.
Exploitation on non-glibc systems is conceivable but has not
been examined. Systems that lack ASLR or users of downstream
Linux distributions that have modified OpenSSH to disable
per-connection ASLR re-randomisation (yes - this is a thing, no
- we don't understand why) may potentially have an easier path
to exploitation. OpenBSD is not vulnerable.
Vulnerability Summary
CVE ID: CVE-2024-6387
Type: Remote Code Execution (RCE)
Severity: High
Access Vector: Remote (over network)
Authentication: Not required
Affected Component: sshd
Affected Systems: Linux systems using glibc
Exploitation Difficulty: High (but feasible under certain conditions)
Root Cause
The bug lies in how sshd handles timeout signals. A race condition introduced in OpenSSH 8.5p1 allows attackers to exploit signal handling to achieve unauthenticated RCE as root.
This flaw is particularly dangerous on systems where timing can be reliably manipulated—mainly 32-bit Linux environments.