A recently discovered vulnerability in select versions of the OpenSSH secure networking suite poses a serious risk of remote code execution (RCE) on servers. This flaw, identified as CVE-2024-6409 with a CVSS score of 7.0, involves a race condition in signal handling within the privsep child process.
The vulnerability affects OpenSSH versions 8.7p1 and 8.8p1 included with Red Hat Enterprise Linux 9. Discovered by security researcher Alexander Peslyak, also known as Solar Designer, it came to light during a review of the previously reported CVE-2024-6387 by Qualys.
“The main difference from CVE-2024-6387 is that the race condition and RCE potential are triggered in the privsep child process, which runs with reduced privileges compared to the parent server process,” Peslyak noted. Although the immediate impact is lower, the exploitability could differ based on the scenario, making either vulnerability a significant threat.
The signal handler race condition becomes active if a client does not authenticate within the default LoginGraceTime of 120 seconds. This triggers the OpenSSH daemon process’ SIGALRM handler, which then calls non-async-signal-safe functions, leaving the system open to attack.
“As a result of a successful attack, the attacker could perform remote code execution (RCE) within the unprivileged user running the sshd server,” according to the vulnerability description.
[PSA 📣] Dear @Platformsh users, we’ve audited our use of OpenSSH and can confirm we’re unaffected by the remote code execution vulnerability, however we have identified another issue with minimal impact. We’re in the process of rolling out fixes. #OpenSSH #regreSSHion pic.twitter.com/aR3vXGsT5R
— Platform.sh (@platformsh) July 9, 2024
An active exploit for CVE-2024-6387 has already been observed, with an unknown threat actor targeting servers mainly in China. The attack’s initial vector is traced to IP address 108.174.58[.]28, which hosts exploit tools and scripts for automating the exploitation of vulnerable SSH servers, as reported by Israeli cybersecurity firm Veriti.
Organizations must urgently secure their systems and mitigate these vulnerabilities to prevent potential exploitation.
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.
