The maintainers of OpenSSH have recently issued urgent updates to address a critical security flaw that could potentially allow unauthorized remote code execution with root privileges on Linux systems using the glibc library.
This vulnerability, designated as CVE-2024-6387, resides within the OpenSSH server component, commonly known as sshd, which is responsible for accepting incoming connections from client applications.
According to Bharat Jogi, senior director of Qualys’ threat research unit, who disclosed the issue today, “The vulnerability stems from a race condition in OpenSSH’s server (sshd), enabling unauthenticated remote code execution (RCE) with root privileges on glibc-based Linux systems.” This race condition affects sshd even in its default setup.
Qualys has identified a staggering 14 million potentially vulnerable instances of OpenSSH servers accessible via the internet. They highlight that this flaw is a regression of a previously patched vulnerability dating back 18 years (CVE-2006-5051), which resurfaced in October 2020 with the release of OpenSSH version 8.5p1.
OpenSSH noted in their advisory, “Successful exploitation of this vulnerability has been demonstrated on 32-bit Linux/glibc systems with address space layout randomization. In controlled settings, the attack typically requires continuous connections for 6-8 hours, up to the maximum limit allowed by the server.”
This vulnerability affects OpenSSH versions from 8.5p1 to 9.7p1. Systems running versions prior to 4.4p1 are also susceptible to the race condition unless they have been patched for CVE-2006-5051 and CVE-2008-4109. Notably, OpenBSD systems are not affected due to built-in security measures that mitigate this flaw.
Specifically, Qualys discovered that if a client fails to authenticate within 120 seconds (the LoginGraceTime setting), sshd’s SIGALRM handler is triggered asynchronously in a manner that is not async-signal-safe.
Exploiting CVE-2024-6387 allows for complete compromise of the system, granting threat actors the ability to execute arbitrary code with the highest privileges, bypass security mechanisms, steal data, and maintain persistent access.
Bharat Jogi emphasized, “The reappearance of a previously patched flaw in a subsequent software release is often due to inadvertent changes or updates. This incident underscores the critical importance of rigorous regression testing to prevent the reintroduction of known vulnerabilities.”
Despite the challenging nature of this remote race condition vulnerability, users are strongly advised to promptly apply the latest patches to safeguard against potential threats. Additionally, it is recommended to restrict SSH access through network controls and enforce network segmentation to limit unauthorized access and lateral movement.