Some versions of the OpenSSH secure networking package are susceptible to a new remote code execution (RCE) vulnerability.
The vulnerability, tracked as CVE-2024-6409 (CVSS score: 7.0), is different from CVE-2024-6387 (aka RegreSSHion) and refers to the case of code execution in privsep child process due to a race condition in signal processing. This only affects versions 8.7p1 and 8.8p1 that ship with Red Hat Enterprise Linux 9.
Security researcher Aleksandr Pesliak, who goes by the pseudonym Solar Designer, is credited with discovering and reporting the bug, which was discovered during his review of CVE-2024-6387 after the latter was disclosed by Qualys earlier this month.
“The primary difference with CVE-2024-6387 is that the race condition and RCE potential is triggered in a privsep child process that runs with reduced privileges compared to the parent server process,” Pesliak said. said.
“So the immediate impact is less. However, there may be differences in the exploitability of these vulnerabilities in a given scenario, which may make any one of them a more attractive choice for an attacker, and if only one of them is patched or mitigated, the other becomes more relevant.”
However, it should be noted that the signal handler race condition vulnerability is the same as CVE-2024-6387: if the client does not authenticate within LoginGraceTime seconds (120 by default), then the SIGALRM handler of the OpenSSH daemon process is invoked asynchronously, which then causes various functions that are not asynchronous signal safe.
“This issue makes it vulnerable to a signal handler race condition in the cleanup_exit() function, which creates the same vulnerability as CVE-2024-6387, in an unprivileged SSHD child,” the report said description of the vulnerability.
“In a successful worst-case attack, an attacker could perform Remote Code Execution (RCE) against an unprivileged user running on the sshd server.”
Since then, there has been an active exploit for CVE-2024-6387 revealed in the wild, with an unknown threat actor targeting servers located primarily in China.
“The initial vector of this attack comes from an IP address 108.174.58(.)28which was reported to contain a directory listing tools and scripts to automate the exploitation of vulnerable SSH servers,” Israeli cybersecurity company Veriti. said.
