Headline
New OpenSSH Vulnerability Could Lead to RCE as Root on Linux Systems
OpenSSH maintainers have released security updates to contain a critical security flaw that could result in unauthenticated remote code execution with root privileges in glibc-based Linux systems. The vulnerability has been assigned the CVE identifier CVE-2024-6387. It resides in the OpenSSH server component, also known as sshd, which is designed to listen for connections from any of the client
OpenSSH maintainers have released security updates to contain a critical security flaw that could result in unauthenticated remote code execution with root privileges in glibc-based Linux systems.
The vulnerability has been assigned the CVE identifier CVE-2024-6387. It resides in the OpenSSH server component, also known as sshd, which is designed to listen for connections from any of the client applications.
“The vulnerability, which is a signal handler race condition in OpenSSH’s server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems,” Bharat Jogi, senior director of the threat research unit at Qualys, said in a disclosure published today. “This race condition affects sshd in its default configuration.”
The cybersecurity firm said it identified no less than 14 million potentially vulnerable OpenSSH server instances exposed to the internet, adding it’s a regression of an already patched 18-year-old flaw tracked as CVE-2006-5051, with the problem reinstated in October 2020 as part of OpenSSH version 8.5p1.
“Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with [address space layout randomization],” OpenSSH said in an advisory. “Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept.”
The vulnerability impacts versions between 8.5p1 and 9.7p1. Versions prior 4.4p1 are also vulnerable to the race condition bug unless they are patched for CVE-2006-5051 and CVE-2008-4109. It’s worth noting that OpenBSD systems are unaffected as they include a security mechanism that blocks the flaw.
Specifically, Qualys found that if a client does not authenticate within 120 seconds (a setting defined by LoginGraceTime), then sshd’s SIGALRM handler is called asynchronously in a manner that’s not async-signal-safe.
The net effect of exploiting CVE-2024-6387 is full system compromise and takeover, enabling threat actors to execute arbitrary code with the highest privileges, subvert security mechanisms, data theft, and even maintain persistent access.
“A flaw, once fixed, has reappeared in a subsequent software release, typically due to changes or updates that inadvertently reintroduce the issue,” Jogi said. “This incident highlights the crucial role of thorough regression testing to prevent the reintroduction of known vulnerabilities into the environment.”
While the vulnerability has significant roadblocks due to its remote race condition nature, users are recommended to apply the latest patches to secure against potential threats. It’s also advised to limit SSH access through network-based controls and enforce network segmentation to restrict unauthorized access and lateral movement.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
The maintainers of the FreeBSD Project have released security updates to address a high-severity flaw in OpenSSH that attackers could potentially exploit to execute arbitrary code remotely with elevated privileges. The vulnerability, tracked as CVE-2024-7589, carries a CVSS score of 7.4 out of a maximum of 10.0, indicating high severity. "A signal handler in sshd(8) may call a logging function
Quay.io is Red Hat’s hosted container registry service that serves enterprise users, open source community projects, and Red Hat customers worldwide. One of the most used features of Quay.io, besides storing and serving container images, is the comprehensive security vulnerability reporting for any uploaded image. Because Red Hat is committed to making open source software more accessible, this functionality is also available on the free tier, provided by the Clair static vulnerability analyzer project.Clair allows users to analyze millions of container images and billions of layers, and pr
Select versions of the OpenSSH secure networking suite are susceptible to a new vulnerability that can trigger remote code execution (RCE). The vulnerability, tracked as CVE-2024-6409 (CVSS score: 7.0), is distinct from CVE-2024-6387 (aka RegreSSHion) and relates to a case of code execution in the privsep child process due to a race condition in signal handling. It only impacts versions 8.7p1
Red Hat Security Advisory 2024-4312-03 - An update for openssh is now available for Red Hat Enterprise Linux 9. Issues addressed include a code execution vulnerability.
Gentoo Linux Security Advisory 202407-9 - A vulnerability has been discovered in OpenSSH, which can lead to remote code execution with root privileges. Versions greater than or equal to 9.7_p1-r6 are affected.
Ubuntu Security Notice 6859-1 - It was discovered that OpenSSH incorrectly handled signal management. A remote attacker could use this issue to bypass authentication and remotely access systems without proper credentials.
Debian Linux Security Advisory 5724-1 - The Qualys Threat Research Unit (TRU) discovered that OpenSSH, an implementation of the SSH protocol suite, is prone to a signal handler race condition. If a client does not authenticate within LoginGraceTime seconds (120 by default), then sshd's SIGALRM handler is called asynchronously and calls various functions that are not async-signal-safe. A remote unauthenticated attacker can take advantage of this flaw to execute arbitrary code with root privileges. This flaw affects sshd in its default configuration.
Qualys has discovered a a signal handler race condition vulnerability in OpenSSH's server, sshd. If a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously, but this signal handler calls various functions that are not async-signal-safe - for example, syslog(). This race condition affects sshd in its default configuration.