The maintainers of OpenSSH have released a security update containing a critical security flaw that could lead to unauthenticated remote code execution with root privileges on glibc-based Linux systems.
This vulnerability has been assigned the CVE identifier CVE-2024-6387 and exists in the OpenSSH server component, also known as sshd, which is designed to listen for connections from any client application.
“The vulnerability is a signal handler race condition in OpenSSH server (sshd) that allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems,” Bharat Jogi, senior director of threat research at Qualys, said in the disclosure published today. “The race condition affects the default configuration of sshd.”
The cybersecurity firm said it had identified more than 14 million potentially vulnerable OpenSSH server instances exposed to the internet, adding that this was a regression of a flaw that was already fixed 18 years ago, tracked as CVE-2006-5051, and that the issue had resurrected in October 2020 as part of OpenSSH version 8.5p1.
“Successful attacks have been demonstrated on 32-bit Linux/glibc systems with address space layout randomization,” OpenSSH said in its advisory. “In a lab environment, the attack requires an average of 6-8 hours of continuous connection, up to the maximum time the server will accept.”
This vulnerability affects versions 8.5p1 through 9.7p1. Versions prior to 4.4p1 are also affected by the race condition bug unless they have the patches for CVE-2006-5051 and CVE-2008-4109 applied. Note that OpenBSD systems are not affected as they contain security mechanisms that block this flaw.
Specifically, Qualys discovered that if a client does not authenticate within 120 seconds (the setting defined by LoginGraceTime), the SIGALRM handler in sshd is called asynchronously in a manner that is not asynchronous-signal-safe.
The ultimate impact of exploiting CVE-2024-6387 is the compromise and takeover of the entire system, allowing a threat actor to execute arbitrary code with the highest privileges, subvert security mechanisms, steal data, and even maintain persistent access.
“We have seen flaws that were once fixed reappear in subsequent software releases, usually because a change or update introduced a new problem that reintroduced the issue,” Jogi said. “This incident highlights the critical role that thorough regression testing plays in preventing known vulnerabilities from being reintroduced into an environment.”
While this vulnerability poses a significant obstacle due to the nature of a remote race condition, users are advised to apply the latest patches to protect against potential threats, as well as restrict SSH access through network-based controls and enforce network segmentation to limit unauthorized access and lateral movement.
