Login
OpenSSH Versions Vulnerable to Remote Code Execution
Bite-Sized Cybersecurity Blog
Blog
July 18, 2024
OpenSSH Versions Vulnerable to Remote Code Execution

OpenSSH, a widely used secure networking suite, has been found to have a vulnerability that allows remote code execution (RCE). This flaw, identified as CVE-2024-6409, has a CVSS score of 7.0. It is separate from another recent vulnerability, CVE-2024-6387, known as RegreSSHion. CVE-2024-6409 pertains to a race condition in signal handling within the privsep child process, which runs with reduced privileges compared to the parent process. This issue affects versions 8.7p1 and 8.8p1 of OpenSSH distributed with Red Hat Enterprise Linux 9.

The discovery and reporting of this bug are credited to security researcher Alexander Peslyak, also known as Solar Designer. This vulnerability was found during a review following the disclosure of CVE-2024-6387 by Qualys earlier in the month. Peslyak highlighted that although the immediate impact of CVE-2024-6409 might be lower due to the reduced privileges of the affected process, differences in exploitability might make either vulnerability more appealing to attackers under certain conditions. If one vulnerability is fixed or mitigated, the other could become more relevant.

The root of the problem lies in the signal handler race condition, which is the same as in CVE-2024-6387. If a client does not authenticate within the default 120 seconds (LoginGraceTime), the OpenSSH daemon process’s SIGALRM handler is invoked asynchronously, which then calls functions that are not async-signal-safe. This issue creates a vulnerability in the cleanup_exit() function within the unprivileged child of the SSHD server.

A successful exploit of this vulnerability could allow an attacker to perform RCE within the unprivileged user running the SSHD server. This situation represents a significant security risk, as it compromises the integrity of the affected system, potentially allowing attackers to execute arbitrary code remotely.

There has been an active exploitation of CVE-2024-6387 observed in the wild. An unknown threat actor has been targeting servers, predominantly in China. The attack vector has been traced back to the IP address 108.174.58[.]28, which has been identified as hosting exploit tools and scripts designed to automate the exploitation of vulnerable SSH servers. This finding underscores the importance of addressing these vulnerabilities promptly to prevent further exploitation.

Israeli cybersecurity company Veriti reported the presence of these exploit tools, emphasizing the ongoing threat posed by such vulnerabilities. As these tools become more accessible, the risk of widespread exploitation increases, highlighting the critical need for vigilance and timely patching in maintaining network security.

Related Posts

Bite-Sized Offensive Cybersecurity Newsletter

We value your time and deliver only the most interesting and impactful updates straight to your inbox. No spam. Unsubscribe anytime.

Join over 10,000 people who have already subscribed.

Newsletter