Recent OpenSSH Bug May Result in Remote Code Execution as Administrator on Linux Systems
The team behind OpenSSH has released updates to address a severe security issue that could potentially lead to the execution of unauthorized code as an administrator on Linux systems running glibc.
The CVE-2024-6387 identifier has been assigned to this vulnerability, which is present in the OpenSSH server component known as sshd. This component is responsible for accepting connections from client applications.
“The flaw in the OpenSSH server (sshd) is a race condition in the signal handler, allowing for remote code execution (RCE) as an administrator on glibc-based Linux systems,” stated Bharat Jogi, who serves as the senior director of the threat research unit at Qualys, in a disclosure issued today. “This race condition impacts the default configuration of sshd.”
Qualys reported that there are approximately 14 million OpenSSH servers exposed to the internet that are potentially vulnerable to this security issue. This incident represents a regression of a previously fixed flaw from 18 years ago identified as CVE-2006-5051, which resurfaced in October 2020 with the release of OpenSSH version 8.5p1.
“The vulnerability has been confirmed on 32-bit Linux/glibc systems with address space layout randomization,” documented OpenSSH in an advisory. “In controlled settings, the attack requires an average of 6-8 hours of continuous connections up to the server’s maximum limit.”
The affected versions range from 8.5p1 to 9.7p1. Servers prior to version 4.4p1 are also susceptible to this race condition issue unless they have been updated to address CVE-2006-5051 and CVE-2008-4109. Notably, OpenBSD systems remain unaffected due to their incorporated security mechanisms that mitigate this flaw.
Qualys discovered that if a client fails to authenticate within 120 seconds (as defined by LoginGraceTime), sshd’s SIGALRM handler is triggered asynchronously in a manner that is not signal-safe.
Exploiting CVE-2024-6387 can lead to a total system compromise, granting malicious actors the ability to execute code with the highest privileges, evade security measures, steal data, and persistently access the system.
“After fixing a vulnerability, it resurfaced in a subsequent software release, often due to inadvertent modifications or updates that reintroduce the problem,” highlighted Jogi. “This incident emphasizes the crucial role of extensive regression testing to prevent the recurrence of known vulnerabilities in the environment.”
Although the security issue presents challenges due to its remote race condition nature, users are urged to apply the latest patches as a precaution against potential threats. Additionally, it is recommended to restrict SSH access through network controls and enforce network segmentation to prevent unauthorized access and lateral movement.
About Author
