New OpenSSH Vulnerability Exposes Systems To Potential RCE Attack

A new security vulnerability has been discovered in some versions of the OpenSSH secure networking suite, which can potentially trigger remote code execution (RCE) on affected systems.

The vulnerability, tracked as CVE-2024-6409 (CVSS score: 7.0), affects only versions 8.7p1 and 8.8p1, specifically, those shipped with Red Hat Enterprise Linux 9, as well as their corresponding portable releases.

It connects to a case of possible remote code execution within the privilege separation (privsep) child process due to a race condition in signal handling.

“A signal handler race condition vulnerability was found in OpenSSH’s server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd’s SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). This issue leaves it vulnerable to a signal handler race condition on the cleanup_exit() function, which introduces the same vulnerability as CVE-2024-6387 in the unprivileged child of the SSHD server,” the vulnerability description says.

Security researcher Alexander Peslyak, who goes by the alias Solar Designer, discovered and reported the vulnerability during a comprehensive review of CVE-2024-6387, also known as RegreSSHion, which was disclosed by Qualys earlier this month.

“OpenSSH versions 8.7 and 8.8 call cleanup_exit() from grace_alarm_handler() when operating in the privsep child process. cleanup_exit() was not originally intended to be invoked from a signal handler and may trigger other async-signal-unsafe functions,” Solar Designer says in his advisory.

The key difference from CVE-2024-6387 is that the race condition and RCE potential are initiated in the privsep child process, which operates with limited privileges compared to the parent server process. Although the immediate impact is lower, the exploitability and implications of CVE-2024-6409 still pose a significant risk.

“If only one of these vulnerabilities is fixed or mitigated, the other becomes more relevant,” explains Solar Designer. Both vulnerabilities can be mitigated with the ‘LoginGraceTime 0’ setting, whereas the “-e” mitigation works only against CVE-2024-6387 and not (fully) against CVE-2024-6409.

Although the CVE-2024-6409 vulnerability presents a lower immediate risk, it is still recommended to take immediate action to mitigate the risks associated with it, such as:

  1. Ensure all affected OpenSSH server installations are updated with the latest patches.
  2. Review and potentially adjust the LoginGraceTime setting in SSH configurations to ‘0’ to help prevent the exploitation of this and similar vulnerabilities.
  3. Increase monitoring for unusual activity on SSH servers, particularly failed authentication attempts and signal handling within the SSH daemon.
  4. Implementation of additional network security measures to restrict access to SSH servers.

Subscribe to our newsletter

To be updated with all the latest news

Kavita Iyer
Kavita Iyer
An individual, optimist, homemaker, foodie, a die hard cricket fan and most importantly one who believes in Being Human!!!


Please enter your comment!
Please enter your name here

Subscribe to our newsletter

To be updated with all the latest news

Read More

Suggested Post