regreSSHion: Remote Code Execution in OpenSSH Server (CVE-2024-6387)

Date: July 1, 2024

CVE: CVE-2024-6387

Vulnerability Type: Race Condition

CWE: [[CWE-362]], [[CWE-665]]

Sources: Qualys

Synopsis

A critical remote code execution (RCE) vulnerability has been identified in OpenSSH's server on glibc-based Linux systems, allowing unauthenticated attackers to execute arbitrary code as root.

Issue Summary

The vulnerability, identified as CVE-2024-6387, is a regression of a previously patched issue (CVE-2006-5051) and affects OpenSSH versions from 8.5p1 to 9.8p1. It arises from a signal handler race condition in the sshd server, leading to unsafe function calls within asynchronous signal handlers.

Technical Key Findings

The flaw involves sshd's SIGALRM handler, which calls non-async-signal-safe functions like syslog(), potentially leading to a heap corruption and enabling remote code execution. The exploit requires precise timing to interrupt specific code paths, leaving the system in an inconsistent state that can be exploited.

Vulnerable Products

• OpenSSH versions 8.5p1 to 9.8p1 on glibc-based Linux systems.

Impact Assessment

Exploitation of this vulnerability allows an attacker to execute arbitrary code as root on affected systems, potentially leading to complete system compromise.

Patches or Workaround

A fix has been implemented in OpenSSH by moving the async-signal-unsafe code to a synchronous context. Users are advised to update to the latest version or set LoginGraceTime to 0 as a temporary mitigation.

Tags

#OpenSSH #CVE-2024-6387 #RCE #RaceCondition #Linux #glibc #SecurityVulnerability #Exploit #Patch