OpenSSH Vulnerability: CVE-2024-6409 to RCE
A new vulnerability in select versions of the OpenSSH secure networking suite has been discovered, potentially allowing for remote code execution (RCE). This vulnerability, tracked as CVE-2024-6409 with a CVSS score of 7.0, affects versions 8.7p1 and 8.8p1 of OpenSSH, specifically those shipped with Red Hat Enterprise Linux 9.
Understanding CVE-2024-6409
CVE-2024-6409 is a case of code execution in the privsep (privilege separation) child process due to a race condition in signal handling. This flaw was identified by security researcher Alexander Peslyak, also known as Solar Designer, during a review of another recent vulnerability, CVE-2024-6387 (RegreSSHion).
Key Differences from CVE-2024-6387
• Impact Area: While both CVE-2024-6409 and CVE-2024-6387 involve a race condition in signal handling, CVE-2024-6409 affects the privsep child process, which operates with reduced privileges compared to the parent server process.
• Immediate Impact: The impact of CVE-2024-6409 is lower initially because it affects a process with reduced privileges. However, depending on the scenario, this vulnerability could be as severe as or even more exploitable than CVE-2024-6387.
How the Vulnerability Works
The vulnerability arises when the OpenSSH daemon process's SIGALRM handler is called asynchronously if a client fails to authenticate within the LoginGraceTime (default 120 seconds). This asynchronous call can trigger functions that are not safe for asynchronous signal handling, leading to a race condition.
The same race condition vulnerability found in CVE-2024-6387 can thus be exploited in the unprivileged child of the SSHD server, potentially allowing an attacker to execute code remotely within the unprivileged user running the SSHD server.
Active Exploits in the Wild
An active exploit for CVE-2024-6387 has already been detected. Attackers have been targeting servers primarily located in China, with the initial attack vector originating from the IP address 108.174.58[.]28. This IP address hosts a directory listing of exploit tools and scripts designed to automate the exploitation of vulnerable SSH servers.
What to Do Next
1. Check Versions: Ensure that your OpenSSH version is not 8.7p1 or 8.8p1, especially if you are using Red Hat Enterprise Linux 9.
2. Apply Patches: Update to the latest version of OpenSSH as soon as patches are available to mitigate these vulnerabilities.
3. Monitor for Exploits: Keep an eye on network traffic for any signs of attempted exploitation, particularly from known malicious IP addresses.
4. Enhance Security Posture: Consider additional security measures such as stricter firewall rules, intrusion detection systems, and regular security audits.
Conclusion
The discovery of CVE-2024-6409 highlights the importance of staying vigilant and up-to-date with security patches. By understanding the nature of these vulnerabilities and taking proactive measures, you can better protect your systems from potential attacks. Stay informed, stay secure.