regreSSHion: Remote Code Execution in OpenSSH Server (CVE-2024-6387)

Date: July 1, 2024

CVE: CVE-2024-6387

Vulnerability Type: Race Condition

CWE: [[CWE-362]], [[CWE-665]]

Sources: Qualys

Synopsis

A critical remote code execution (RCE) vulnerability has been identified in OpenSSH's server on glibc-based Linux systems, allowing unauthenticated attackers to execute arbitrary code as root.

Issue Summary

The vulnerability, identified as CVE-2024-6387, is a regression of a previously patched issue (CVE-2006-5051) and affects OpenSSH versions from 8.5p1 to 9.8p1. It arises from a signal handler race condition in the sshd server, leading to unsafe function calls within asynchronous signal handlers.

Technical Key Findings

The flaw involves sshd's SIGALRM handler, which calls non-async-signal-safe functions like syslog(), potentially leading to a heap corruption and enabling remote code execution. The exploit requires precise timing to interrupt specific code paths, leaving the system in an inconsistent state that can be exploited.

Vulnerable Products

• OpenSSH versions 8.5p1 to 9.8p1 on glibc-based Linux systems.

Impact Assessment

Exploitation of this vulnerability allows an attacker to execute arbitrary code as root on affected systems, potentially leading to complete system compromise.

Patches or Workaround

A fix has been implemented in OpenSSH by moving the async-signal-unsafe code to a synchronous context. Users are advised to update to the latest version or set LoginGraceTime to 0 as a temporary mitigation.

Tags

#OpenSSH #CVE-2024-6387 #RCE #RaceCondition #Linux #glibc #SecurityVulnerability #Exploit #Patch

GitLab Vulnerability to GitHub-Style CDN Flaw Allowing Malware Hosting

Date: April 22, 2024
CVE: Not specifically assigned
Vulnerability Type: Authentication bypass
CWE: [[CWE-22]], [[CWE-427]]
Sources: Bleeping Computer Article, Duo Security Article

Issue Summary

GitLab has been identified as vulnerable to a similar flaw that was found in GitHub, where the platform's "comments" feature can be abused to host malware. This vulnerability allows threat actors to upload malicious files to GitLab's CDN under the guise of legitimate projects, making them appear as if they are part of reputable repositories.

Technical Key findings

The flaw stems from the ability to generate links to uploaded files in the comment section before saving or posting the comment. These files, although potentially never visible in a public comment, receive a CDN URL that remains accessible even if the comment is deleted.

The format followed by such files uploaded to GitLab CDN is:
_https://gitlab.com/{project_group_namr}/{repo_name}/uploads/{file_id}/{file_name}_
For videos and images, the files will be stored under the /assets/ path instead.

Vulnerable products

The vulnerability affects all versions of GitLab that include the "comments" feature with file upload capabilities.

Impact assessment

This vulnerability can be exploited to distribute malware by disguising malicious files as legitimate project files, potentially leading to widespread security breaches if these files are executed by unsuspecting users.

Patches or workaround

As of the latest updates, specific patches for this CDN flaw have not been detailed. Users are advised to remain vigilant about files downloaded from repository-related URLs and verify their authenticity.

Tags

#GitLab #CDNFlaw #MalwareDistribution #AuthenticationBypass #SecurityVulnerability