A new security vulnerability has been discoveredย in some versions of the OpenSSH secure networking suite, which can potentially trigger remote code executionย (RCE) on affected systems.
The vulnerability, tracked as CVE-2024-6409 (CVSS score: 7.0), affects only versions 8.7p1 and 8.8p1, specifically, those shipped with Red Hat Enterprise Linux 9, as well as their corresponding portable releases.
It connects to a case of possible remote code execution within the privilege separation (privsep) child process due to a race condition in signal handling.
โA signal handler race condition vulnerability was found in OpenSSH’s server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd’s SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). This issue leaves it vulnerable to a signal handler race condition on the cleanup_exit() function, which introduces the same vulnerability as CVE-2024-6387 in the unprivileged child of the SSHD server,โ the vulnerability description says.
Security researcher Alexander Peslyak, who goes by the alias Solar Designer, discovered and reported the vulnerability during a comprehensive review of CVE-2024-6387, also known as RegreSSHion, which was disclosed by Qualys earlier this month.
โOpenSSH versions 8.7 and 8.8 call cleanup_exit() from grace_alarm_handler() when operating in the privsep child process. cleanup_exit() was not originally intended to be invoked from a signal handler and may trigger other async-signal-unsafe functions,โ Solar Designer says in hisย advisory.
The key difference from CVE-2024-6387 is that the race condition and RCE potential are initiated in the privsep child process, which operates with limited privileges compared to the parent server process. Although the immediate impact is lower, the exploitability and implications of CVE-2024-6409 still pose a significant risk.
โIf only one of these vulnerabilities is fixed or mitigated, the other becomes more relevant,โ explains Solar Designer.ย Bothย vulnerabilitiesย can be mitigated with the โLoginGraceTime 0โ setting, whereas the “-e” mitigation works only against CVE-2024-6387 and not (fully) against CVE-2024-6409.
Although the CVE-2024-6409 vulnerability presents a lower immediate risk, it is still recommended to take immediate action to mitigate the risks associated with it, such as:
- Ensure all affected OpenSSH server installations are updated with the latest patches.
- Review and potentially adjust the LoginGraceTime setting in SSH configurations to โ0โ to help prevent the exploitation of this and similar vulnerabilities.
- Increase monitoring for unusual activity on SSH servers, particularly failed authentication attempts and signal handling within the SSH daemon.
- Implementation of additional network security measures to restrict access to SSH servers.
