🟠 High   ⏱ 15–60 min  Last verified: 25 May 2026
Affected versions: NetBSD 9.4

πŸ“– ~4 min read  β€’  Source: NetBSD advisory NetBSD-SA-2024-002

Related CVEs: CVE-2024-6387 CVE-2002-0639 CVE-2006-0225 CVE-2013-4548 CVE-2021-41617 CVE-2023-38408 CVE-2011-0539 CVE-2008-5161  +12 more

Upstream summary: The sshd(8) login grace time expiry message is issued from signal handler context where it is not safe and may cause heap corruption, potentially leading to remote code execution. This vulnerability has been assigned CVE-2024-6387. See https://www.qualys.com/regresshion-cve-2024-6387/ for more information.

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

On NetBSD 9.4 hosts that have openssh installed from pkgsrc, operators report behaviour consistent with the NetBSD advisory NetBSD-SA-2024-002 entry: pkg_admin audit flags the installed package as vulnerable, services launched from /etc/rc.d that link against openssh may misbehave or refuse to start after an upgrade, and β€” for security-rated advisories β€” the host is exposed to the vulnerability set above. Impact ranges from a single service restart cycle to a full availability incident when openssh sits on the serving path of an NetBSD server.

Environment & Reproduction

Reproduction targets NetBSD 9.4. Confirm release, kernel, and installed package state:

uname -a
cat /etc/release
sysctl kern.version
sysctl kern.osrelease
pkg_info -e openssh && pkg_info openssh | head -20
pkgin list | wc -l

Trigger the workflow that exposes openssh β€” multiple vulnerabilities (20 CVEs) β€” patch and remediation guide while collecting:

tail -200 /var/log/messages
tail -200 /var/log/authlog
dmesg | tail -200
# pkgsrc transaction log (location varies; check both):
tail -200 /var/db/pkgin/pkg_install-err.log 2>/dev/null
tail -200 /var/log/pkgsrc.log 2>/dev/null

Root Cause Analysis

Root cause is tracked at NetBSD advisory NetBSD-SA-2024-002. NetBSD pkgsrc-security maintains the pkg-vulnerabilities feed consumed by pkg_admin audit; hosts running a pre-fix build of openssh remain exposed. Correlate audit output with system logs and kernel state to identify the change that introduced the failure mode:

sudo pkg_admin fetch-pkg-vulnerabilities   # refresh the audit feed first
sudo pkg_admin audit-pkg openssh             # per-package audit
sudo pkg_admin audit                       # full-system audit
tail -500 /var/log/messages
sysctl kern.lastpid kern.osreldate
# Verify the running base kernel matches the on-disk image:
cksum -a sha256 /netbsd

Quick Triage

Run these checks on NetBSD 9.4 to confirm the failure mode and the current state of openssh:

pkgin search ^openssh$                       # confirm pkgin can see it
pkgin show-deps openssh                      # forward dependencies
pkgin show-rev-deps openssh                  # reverse dependencies
sudo pkg_admin audit-pkg openssh             # audit just this package
tail -100 /var/log/messages
tail -100 /var/log/authlog
dmesg | tail -100
# If openssh ships an rc.d script (script name may differ, e.g.
# bind→named, php→php_fpm, apache→apache), check it:
grep -l openssh /etc/rc.d/* 2>/dev/null
service -e 2>/dev/null | grep -i openssh
# Firewall posture (npf is default in NetBSD 10; ipf still available):
npfctl show 2>/dev/null || ipfstat -hin 2>/dev/null

Step-by-Step Diagnosis

  1. Refresh the pkgsrc audit feed and run a full system audit.

    sudo pkg_admin fetch-pkg-vulnerabilities
sudo pkg_admin audit

  2. Tail live logs while reproducing the issue.

    tail -F /var/log/messages
tail -F /var/log/authlog
dmesg | tail -200

  3. Inspect firewall rules β€” NetBSD 10 defaults to npf, older deployments may still run ipf.

    npfctl rule "block-in" list 2>/dev/null
npfctl show 2>/dev/null
ipfstat -hin 2>/dev/null
ipfstat -nio 2>/dev/null

  4. Confirm enabled services in /etc/rc.conf and current daemon state.

    grep -E '=YES' /etc/rc.conf
service -e 2>/dev/null | grep -i openssh
sudo service <rc-script-name> status

  5. Verify the on-disk integrity of the package files for openssh.

    pkg_admin check openssh
pkg_info -L openssh | xargs -I{} cksum -a sha256 {} 2>/dev/null | head

  6. Correlate findings with the NetBSD source CVS log and NetBSD advisory NetBSD-SA-2024-002 to pin the change that introduced openssh β€” multiple vulnerabilities (20 CVEs) β€” patch and remediation guide.

Solution – Primary Fix

Refresh the pkgsrc package index and upgrade openssh (and its dependants) through NetBSD advisory NetBSD-SA-2024-002:

sudo pkgin update
sudo pkgin upgrade openssh            # single package
sudo pkgin full-upgrade             # whole-system pkgsrc upgrade
sudo pkg_admin fetch-pkg-vulnerabilities
sudo pkg_admin audit-pkg openssh      # confirm no remaining audit entry
# If openssh ships an rc.d service, restart it (the rc-script name may differ from pkg name):
# sudo service <rc-script-name> restart

For administrators who build from a local pkgsrc tree:

# Refresh the tree (CVS) or pull a fresh tarball:
cd /usr/pkgsrc && sudo cvs -q update -dP
cd /usr/pkgsrc/<category>/openssh && sudo make replace clean
# Or rebuild + binary package output:
cd /usr/pkgsrc/<category>/openssh && sudo make package-install

For base-system fixes, NetBSD does not ship binary syspatches like OpenBSD. Rebuild from source (CVS or release tarball) or move to a newer build:

# Option A: in-place upgrade via the sysupgrade pkgsrc tool:
sudo pkgin install sysupgrade
sudo sysupgrade auto https://nycdn.NetBSD.org/pub/NetBSD-daily/netbsd-10/latest/amd64/
# Option B: rebuild from the source tree:
cd /usr/src && sudo ./build.sh -O /var/obj -T /var/tools -U tools
cd /usr/src && sudo ./build.sh -O /var/obj -T /var/tools -U distribution
cd /usr/src && sudo ./build.sh -O /var/obj -T /var/tools -U install=/
# Option C: fetch a HEAD/release tarball and extract base.tgz over /:
cd /var/tmp && ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/netbsd-10/latest/amd64/binary/sets/base.tgz
cd / && sudo tar xzpf /var/tmp/base.tgz

Reboot only if the upgrade replaced the kernel (/netbsd) or shared libraries used by long-running daemons.

Need help rolling this patch across a NetBSD fleet? Our IT Solutions & Services team supports NetBSD server fleets and pkgsrc-on-other-OS deployments with audit-packages automation. Get in touch for a free consultation.

Solution – Alternative Approaches

If the primary fix is not viable, choose from these alternatives:

  • Pin the package on its current version while staging a coordinated rollout. pkgsrc has no first-class “lock” so document and reinstall from a saved binary:

    pkg_info -X openssh > /root/openssh.pin.txt
# Save the current .tgz from /usr/pkgsrc/packages/All/openssh-<ver>.tgz
# Refuse pkgin upgrades for this package by removing it from the upgrade plan:
sudo pkgin -y avoid openssh 2>/dev/null || true

  • Roll openssh back to a known-good binary package:

    # 1. List versions available from the configured pkgin repo:
pkgin search ^openssh$
# 2. Force-install a specific .tgz from a saved build:
sudo pkg_add -f /usr/pkgsrc/packages/All/openssh-<older-version>.tgz
# 3. Or point pkgin at the previous quarterly branch via /usr/pkg/etc/pkgin/repositories.conf

  • Switch the pkgin repository between branches by editing /usr/pkg/etc/pkgin/repositories.conf:

    # /usr/pkg/etc/pkgin/repositories.conf
https://cdn.NetBSD.org/pub/pkgsrc/packages/NetBSD/$arch/$osrelease/All
# Then:
sudo pkgin update
sudo pkgin upgrade openssh

  • Build from source against a different pkgsrc branch (quarterly vs. HEAD):

    cd /usr && sudo cvs -d :pserver:[email protected]:/cvsroot checkout -P pkgsrc
cd /usr/pkgsrc/<category>/openssh && sudo make replace clean clean-depends

  • Sandbox the affected service with stricter firewall rules until a fix is verified β€” npf.conf example:

    # /etc/npf.conf
block in on $ext_if proto tcp to port openssh_port
# Reload the ruleset:
sudo npfctl reload
sudo npfctl show

  • Replace the service with a vendored static build for the interval between exposure detection and full rollout.

Verification & Acceptance Criteria

All of these should pass after the fix:

pkg_info openssh                           # shows the expected fixed version
sudo pkg_admin audit-pkg openssh           # no audit hit for this package
sudo pkg_admin audit                     # no audit hits anywhere
tail -50 /var/log/messages              # no new errors after upgrade
tail -50 /var/log/authlog               # no auth anomalies
# If openssh ships an rc.d service, confirm it is running:
# sudo service <rc-script-name> status
# Verify base kernel integrity if the upgrade touched /netbsd:
cksum -a sha256 /netbsd

The original reproduction for openssh β€” multiple vulnerabilities (20 CVEs) β€” patch and remediation guide must not trigger across two consecutive runs.

Rollback Plan

Capture state before any change:

pkg_info -X > /root/pkg-pre.txt
cp -a /etc/rc.conf /etc/rc.conf.pre-patch
# Snapshot the root filesystem if you are on ZFS:
sudo zfs snapshot rpool/ROOT/netbsd@pre-openssh-patch 2>/dev/null || true

To revert if the upgrade is bad:

# Reinstall the previously saved binary package:
sudo pkg_add -f /usr/pkgsrc/packages/All/openssh-<previous-version>.tgz
# Or roll back via pkgin if a previous version is still in the repo:
sudo pkgin install openssh-<previous-version>
# Restore rc.conf if it was edited:
sudo cp /etc/rc.conf.pre-patch /etc/rc.conf
# Rollback ZFS snapshot (only if you took one above):
sudo zfs rollback rpool/ROOT/netbsd@pre-openssh-patch 2>/dev/null || true

For a base-system / kernel regression, boot the previous kernel from the loader prompt (press 5 at the boot menu, then boot netbsd.old).

Prevention & Hardening

Reduce the chance of this recurring on NetBSD 9.4 hosts running openssh:

  • Schedule a daily pkgsrc audit via cron:

    # /etc/daily.local
pkg_admin fetch-pkg-vulnerabilities
pkg_admin audit | mail -E -s 'pkgsrc audit' root

  • Subscribe to netbsd-announce and pkgsrc-security at mail-index.NetBSD.org and watch the NetBSD Security Advisories index.

  • Mirror pkgsrc binary packages locally so production hosts pull from a vetted feed:

    # Bulk-build a private pkgsrc repo (one-time):
cd /usr/pkgsrc/pkgtools/pbulk && sudo make install clean
sudo pbulk-build -c /usr/pbulk/etc/pbulk.conf
# Then publish /usr/pbulk/packages/ behind nginx or rsync.

  • Keep sysupgrade installed and dry-run it before scheduled windows:

    sudo pkgin install sysupgrade
sudo sysupgrade -n auto https://nycdn.NetBSD.org/pub/NetBSD-daily/netbsd-10/latest/amd64/

  • Harden the firewall with npf default-deny and reload after edits:

    # /etc/npf.conf
$ext_if = "wm0"
group default {
  block all
  pass in final on $ext_if proto tcp to port { ssh }
  pass out final all
}
    sudo npfctl reload
sudo npfctl start

  • Monitor file integrity with the NetBSD-shipped veriexec subsystem or with mtree:

    # mtree baseline of critical config dirs:
sudo mtree -c -K sha256digest -p /etc       > /var/db/etc.mtree
sudo mtree -c -K sha256digest -p /usr/pkg/etc > /var/db/usr-pkg-etc.mtree
# Verify later:
sudo mtree -p /etc < /var/db/etc.mtree
# veriexec (kernel-enforced):
sudo veriexecgen -o /etc/signatures
sudo veriexecctl load /etc/signatures

  • Verify NetBSD signed sets when applying base-system updates β€” the project publishes detached signatures alongside base.tgz on nycdn.NetBSD.org:

    # Fetch set + signature, then verify before extracting:
ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/netbsd-10/latest/amd64/binary/sets/base.tgz
ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/netbsd-10/latest/amd64/binary/sets/SHA512
grep base.tgz SHA512 | cksum -a sha512 -c -

Issues that commonly surface alongside openssh β€” multiple vulnerabilities (20 CVEs) β€” patch and remediation guide: mismatched kern.osrelease after a partial userland upgrade, stale shared-library references after a pkgsrc replace, drifted npf rules, and out-of-date pkg-vulnerabilities feeds. Useful triage:

uname -a
sysctl kern.osrelease kern.osreldate
sudo pkg_admin audit
sudo npfctl show

View all netbsd-9-4 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Primary reference: NetBSD advisory NetBSD-SA-2024-002. Useful manual pages on NetBSD 9.4:

man pkgin
man pkg_admin
man pkg_info
man rc.conf
man rc.d
man service
man npfctl
man npf.conf
man ipf
man sysupgrade
man veriexec

Other resources: the NetBSD Guide, the NetBSD Security Advisories index, the pkgsrc Guide, and the per-package DESCR + MESSAGE files under /usr/pkgsrc/<category>/openssh/ for notes implicated in openssh β€” multiple vulnerabilities (20 CVEs) β€” patch and remediation guide.


View all NetBSD 9.4 tutorials on the Tutorials Hub →