OpenSSH has released security updates that contain a critical security flaw that could lead to unauthenticated remote code execution with root privileges on glibc-based Linux systems.
The vulnerability, codenamed regreSSHion, has been assigned the CVE ID CVE-2024-6387. It is located in OpenSSH server componentalso known as sshd, which is designed to listen for connections from any client application.
“A race condition vulnerability in the OpenSSH (sshd) server signal handler allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems,” said Bharat Jogi, senior director of threat research at Qualys. said in a disclosure released today. “This race condition affects sshd in its default configuration.”
The cybersecurity firm said it had identified at least 14 million potentially vulnerable instances of OpenSSH servers exposed to the Internet, adding that it was a regression of an already patched 18-year-old flaw tracked as CVE-2006-5051with the issue restored in October 2020 as part of OpenSSH version 8.5p1.
“Successful use has been demonstrated on 32-bit Linux/glibc systems with (address space location randomization),” OpenSSH said in the advisory. “In lab conditions, the attack requires an average of 6-8 hours of continuous connections to the maximum the server can handle.”
The vulnerability affects versions between 8.5p1 and 9.7p1. Versions prior to 4.4p1 are also vulnerable to a race condition bug unless fixed for CVE-2006-5051 and CVE-2008-4109. It should be noted that OpenBSD systems are not affected as they include a security mechanism that blocks the flaw.
It is likely that the security flaw also affects both macOS and Windows, although its exploitability on these platforms remains unconfirmed and requires further analysis.
Specifically, Qualys discovered that if the client does not authenticate within 120 seconds (a parameter defined by LoginGraceTime), then sshd’s SIGALRM handler is called asynchronously in a way that does not asynchronous signal-safe.
The net effect of exploiting CVE-2024-6387 is complete system compromise and hijacking, allowing threat actors to execute arbitrary code with the highest privileges, subvert security mechanisms, steal data, and even maintain persistent access.
“A flaw that was fixed would reappear in a subsequent software release, usually due to changes or updates that inadvertently reintroduced the problem,” Jogi said. “This incident highlights the critical role of thorough regression testing to prevent the re-introduction of known vulnerabilities into the environment.”
While the vulnerability has significant obstacles due to the nature of remote race conditions, users are encouraged to apply the latest patches to protect against potential threats. It is also recommended to restrict SSH access using network management tools and force network segmentation to limit unauthorized access and lateral movement.
Update
Cyber security firms A division of Palo Alto Networks 42 and Wiz stated that the vulnerability is unlikely to be widely or opportunistically exploited, given that an attacker would need to know in advance which Linux distribution they are targeting in order to create a functional exploit.
Another factor that may prevent its mass exploitation is the fact that an attack can take up to eight hours and require up to 10,000 authentication steps, as noted Kaspersky, although this does not exclude the possibility of very targeted exploitation.
“The specific nature of the race conditions and their operation require a significant number of attempts to successfully execute, with varying success rates depending on version and environment,” Oligo said. said.
Akamai, in its own advisory, noted that the root cause of the problem is a race condition caused by unsafe signal handling when waiting for user authentication.
“After a timeout, a SIGALRM signal is generated, causing the thread executing the heap management routine to abort” is explained. “If the signal handler itself calls the heap management routine, it can cause unexpected behavior and, in this case, arbitrary code execution.”
OpenSSF’s Omhar Arasaratnam said the OpenSSH vulnerability highlights the importance of maintaining secure open source development practices, especially in “long-standing projects that are foundational to companies around the world.”
“It’s also a reminder that not all vulnerabilities are malicious, as we saw recently with XZ Utils,” he said. “Code regressions are common, so ongoing thorough testing is an important step that cannot be ignored.”
“The open source community must also remain vigilant in evaluating the open source code they use, staying abreast of updates, and following the principles of secure software development.”