OpenSSH maintainers have issued security updates to address a critical flaw that could allow unauthenticated remote code execution (RCE) with root privileges on glibc-based Linux systems.
The vulnerability, identified as CVE-2024-6387, is located in the OpenSSH server component, known as sshd, which listens for connections from client applications.
“The vulnerability is a signal handler race condition in OpenSSH’s server (sshd), allowing unauthenticated remote code execution (RCE) as root on glibc-based Linux systems,” said Bharat Jogi, senior director of the threat research unit at Qualys, in a disclosure published today. “This race condition affects sshd in its default configuration.”
Qualys identified approximately 14 million potentially vulnerable OpenSSH server instances exposed to the internet. This issue is a regression of an 18-year-old flaw, CVE-2006-5051, which was reintroduced in OpenSSH version 8.5p1 in October 2020.
“Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with [address space layout randomization],” OpenSSH stated in an advisory. “Under lab conditions, the attack requires an average of 6-8 hours of continuous connections up to the server’s maximum capacity.”
The vulnerability affects versions from 8.5p1 to 9.7p1. Versions prior to 4.4p1 are also vulnerable unless patched for CVE-2006-5051 and CVE-2008-4109. OpenBSD systems are not affected, as they include a security mechanism that blocks the flaw.
⚠️ New OpenSSH Vulnerability Could Lead to RCE as Root on Linux Systems
Qualys TRU has identified a critical remote code execution vulnerability, CVE-2024-6387, in OpenSSH. This race condition can potentially allow full system takeovers, with millions of SSH servers at risk. The… pic.twitter.com/5w1J6Q1uWY
— Chris Eide (@ceide2000) July 1, 2024
Specifically, Qualys discovered that if a client fails to authenticate within 120 seconds (a setting defined by LoginGraceTime), sshd’s SIGALRM handler is called asynchronously in a manner that is not async-signal-safe.
Cybersecurity Exploiting CVE-2024-6387 can lead to a complete system takeover, enabling threat actors to execute arbitrary code with the highest privileges, bypass security mechanisms, steal data, and maintain persistent access.
“A flaw, once fixed, has reappeared in a subsequent software release, typically due to changes or updates that inadvertently reintroduce the issue,” Jogi explained. “This incident underscores the critical importance of thorough regression testing to prevent the reintroduction of known vulnerabilities.”
Despite the significant challenges due to its remote race condition nature, users are advised to apply the latest patches to protect against potential threats. It is also recommended to limit SSH access through network-based controls and enforce network segmentation to restrict unauthorized access and lateral movement.
This vulnerability highlights the ongoing need for vigilance and comprehensive testing in software development to safeguard against security flaws.
Start Growing with Cloudways Today.
Our Clients Love us because we never compromise on these
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.
