Potential risk of remote code execution

July 10, 2024NewsroomVulnerability / Network Security

OpenSSH vulnerability

Certain versions of the secure networking suite OpenSSH are susceptible to a new vulnerability that could allow remote code execution (RCE).

The vulnerability, tracked as CVE-2024-6409 (CVSS score: 7.0), is different from CVE-2024-6387 (also known as RegreSSHion) and involves a code execution in the privsep child process due to a race condition in signal processing. It only affects versions 8.7p1 and 8.8p1 shipped with Red Hat Enterprise Linux 9.

Security researcher Alexander Peslyak, who goes by the alias Solar Designer, is credited with discovering and reporting the bug. The bug was discovered during a review of CVE-2024-6387, after it was disclosed by Qualys earlier this month.

Cyber ​​Security

“The main difference from CVE-2024-6387 is that the race condition and RCE potential are triggered in the privsep child process, which runs with limited privileges compared to the parent server process,” Peslyak said.

“So the direct impact is lower. However, there may be differences in the exploitability of these vulnerabilities in a given scenario, which may make one of these two a more attractive choice for an attacker, and if only one of these is fixed or mitigated, the other becomes more relevant.”

It is important to note, however, that the race condition vulnerability in the signal handler is the same as CVE-2024-6387. If a client does not authenticate within LoginGraceTime seconds (default 120), the SIGALRM handler of the OpenSSH daemon process is called asynchronously. This handler then calls various functions that are not async-signal-safe.

“This issue makes it vulnerable to a signal handler race condition on the cleanup_exit() function, which introduces the same vulnerability as CVE-2024-6387 in the unprivileged child of the SSHD server,” the vulnerability description reads.

Cyber ​​Security

“A successful exploit could, in the worst case, allow the attacker to perform remote code execution (RCE) within an unprivileged user controlling the sshd server.”

An active exploit for CVE-2024-6387 has now been detected, with an unknown threat primarily targeting servers in China.

“The initial vector of this attack comes from the IP address 108.174.58[.]28, which was reported to contain a directory of exploit tools and scripts for automating the exploitation of vulnerable SSH servers,” according to Israeli cybersecurity firm Veriti.

Did you find this article interesting? follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a Comment