OpenSSH maintainers have released security updates to contain a critical security flaw that could lead to unauthenticated remote code execution with root privileges on glibc-based Linux systems.
The vulnerability has been assigned the CVE identifier CVE-2024-6387. It lies in OpenSSH server component , also known as sshd, designed to listen for connections from any client application.
“The vulnerability, which is a race condition of the signal handler in the OpenSSH server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems,” he said Bharat Jogi, senior director of Qualys' threat research unit. in a statement published today. “This race condition affects sshd in its default configuration.”
A race condition is a situation in which software behavior depends on the sequence or timing of unsynchronized operations. This problem often occurs in concurrent or multi-threaded systems, where two or more processes or threads attempt to access or modify a shared resource at the same time. If not managed properly, race conditions can cause unpredictable behavior, programming errors, and security vulnerabilities. In the security field, a race condition can be exploited by an attacker to perform unauthorized actions, access sensitive data or compromise the integrity of the system, making the implementation of adequate synchronization and access control techniques essential.
The cybersecurity firm said it has identified no fewer than 14 million potentially vulnerable OpenSSH server instances exposed on the Internet, adding that this is a reversion of an 18-year-old flaw already patched and identified as CVE-2006-5051 , with the issue reverted in October 2020. as part of OpenSSH version 8.5p1.
“Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with [ randomization of address space layout ]”, said OpenSSH in a warning. “Under laboratory conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum that the server will accept.”
The vulnerability impacts versions between 8.5p1 and 9.7p1. Versions prior to 4.4p1 are also vulnerable to the race condition bug, unless patched for CVE-2006-5051 and CVE-2008-4109 . It is worth noting that OpenBSD systems are not affected, as they include a security mechanism that blocks the flaw.
Specifically, Qualys found that if a client fails to authenticate within 120 seconds (a setting defined by LoginGraceTime), sshd's SIGALRM handler is called asynchronously, in a way that is not async-signal-safe .
The net effect of exploiting CVE-2024-6387 is complete system compromise and control, allowing threat actors to execute arbitrary code with the highest privileges, subvert security mechanisms, steal data, and even maintain an access persistent.
“A flaw, once fixed, has reappeared in a subsequent software release, typically due to changes or updates that inadvertently reintroduce the problem,” Jogi said. “This incident highlights the crucial role of thorough regression testing to prevent the reintroduction of known vulnerabilities into the environment.”
While the vulnerability presents significant hurdles due to its remote race condition nature, users are advised to apply the latest patches to protect themselves from potential threats. We also recommend limiting SSH access through network-based controls such as firewalling and enforcing network segmentation to limit unauthorized access and lateral movement.
