Administrators of Linux-based systems should update to OpenSSH immediately to patch a flaw (CVE-2024-6387) that can expose servers to unauthenticated remote code execution.
Summary
- An estimated 700,000 OpenSSH servers are at risk from a remote code execution vulnerability, CVE-2024-6387
- A signal handler race condition in OpenSSH server allows unauthenticated remote code execution as root on glibc-based Linux systems.
- If exploited, could lead to full system compromise, complete system takeover, installation of malware, data manipulation and the creation of backdoors for persistent access
A critical security flaw in OpenSSH that could result in unauthenticated remote code execution with root privileges in glibc-based Linux systems has been patched by the project’s maintainers.
The bug was apparently reintroduced by an upstream commit that reverted a prior fix for the same issue, previously patched as CVE-2006-5051.
Assigned CVE-2024-6387 and dubbed “RegreSSHion,” the bug is a signal handler race condition in OpenSSH’s server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems.
The Vulnerability and Exploit
How can RegreSSHion be abused? During SSH authentication, the process is time-limited to a default 120 seconds. If authentication doesn’t complete, the sshd server asynchronously calls the “sigalarm” function, which invokes system-level memory management functions.
The vulnerable version handles this unsafely for asynchronous execution. Under certain rare conditions, this can trigger a race condition, leading to memory boundary violations and arbitrary code execution.
To exploit, an attacker would need to make approximately 10,000 auth attempts on a glibc-based Linux platform (this includes the popular Ubuntu.) It’s a particularly sophisticated attack, as memory structures tailored to the specific version of glibc and Linux would need to be pre-staged.
An attack is easier to stage on a 32-bit Linux system but it could theoretically affect 64-bit as well, despute additional protections to memory.
How Bad Is This Vulnerability?
While the consequences of exploitation are severe from this kind of vulnerability, the attack itself is somewhat advanced and unlikely to be abused at scale.
What makes this vulnerability serious is the ubiquity of OpenSSH—it is quite nearly on every single Linux server by default, conjuring painful memories of Log4Shell.
What To Do?
Update OpenSSH/OpenSSL to the newly patched version 9.8. Many Linux distros have already made these packages available.
It’s also considered best practice to not expose SSH to the open Internet. Protect with network-based access controls and/or utilize an alternate non-default port number.
Affected Versions
Versions between 8.5p1 and 9.7p1 are affected.
Versions prior 4.4p1 are also vulnerable to the race condition bug unless they are patched for CVE-2006-5051 and CVE-2008-4109.
Sources
- Qualys article
https://www.qualys.com/regresshion-cve-2024-6387/ - Hacker News
https://thehackernews.com/2024/07/new-openssh-vulnerability-could-lead-to.html - OpenSSH 9.8 Release Notes
https://www.openssh.com/releasenotes.html