Recent OpenSSH Security Vulnerability Might Result in Remote Code Execution as Superuser on Linux Machines
Developers in charge of OpenSSH have rolled out security patches to address a significant security loophole that could lead to unauthorized remote code execution with administrative privileges in glibc-based Linux distributions.
The security team has assigned the CVE label CVE-2024-6387 to this vulnerability. It is situated within the OpenSSH server component, known as sshd, which is responsible for accepting connections from various client applications.
“The vulnerability, a signal handler race condition found within OpenSSH’s server (sshd), enables remote code execution (RCE) with administrative rights on glibc-based Linux systems,” mentioned Bharat Jogi, a senior leader in Qualys’s threat research unit, in a disclosure released today. “This race condition impacts sshd in its default configuration.”
The cybersecurity company revealed that it has pinpointed at least 14 million potentially vulnerable OpenSSH server instances publicly reachable on the internet. They highlighted that this incident is a regression of a previously patched flaw dating back 18 years, known as CVE-2006-5051, which made a comeback in October 2020 as part of OpenSSH version 8.5p1.
“Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with [address space layout randomization],” mentioned OpenSSH in an advisory. “In controlled environments, the attack necessitates approximately 6-8 hours of continuous connections, reaching the maximum allowable connections permitted by the server.”
This vulnerability impacts versions from 8.5p1 to 9.7p1. Versions preceding 4.4p1 are also susceptible to the race condition bug unless they have been patched for CVE-2006-5051 and CVE-2008-4109. It is essential to note that OpenBSD systems are not affected due to the presence of a security mechanism that mitigates this flaw.
Qualys specifically discovered that when a client fails to authenticate within 120 seconds (a parameter defined by LoginGraceTime), then the SIGALRM handler of sshd is invoked asynchronously in a manner deemed as not async-signal-safe.
The exploitation of CVE-2024-6387 can result in a complete system takeover, allowing threat actors to execute any code with the highest privileges, bypass security protocols, steal data, and maintain continuous access.
“An issue, once resolved, resurfacing in a subsequent software update is often due to changes or modifications inadvertently reintroducing the original problem,” highlighted Jogi. “This situation emphasizes the importance of thorough regression testing to prevent the unwitting reintroduction of known vulnerabilities into the environment.”
Despite the challenging nature of the vulnerability due to its remote race condition aspect, users are strongly encouraged to apply the most recent patches to safeguard against potential risks. It is also advisable to restrict SSH access using network-based restrictions and implement network segmentation to limit unauthorized access and lateral maneuvers.
About Author
