Understanding the ‘regreSSHion’ (CVE-2024-6387)
On July 1, 2024, cybersecurity researchers from the Qualys Threat Research Unit (TRU) disclosed a critical vulnerability in OpenSSH, named ‘regreSSHion’ (CVE-2024-6387). This flaw allows unauthenticated remote code execution (RCE) within OpenSSH’s server (sshd) on glibc-based Linux systems. The vulnerability exploits a signal handler race condition triggered when a client fails to authenticate within the specified LoginGraceTime, potentially granting attackers full root access to affected systems. This significant threat emphasizes the need for robust security measures and prompt patching within Linux environments.
Introducing a New Vulnerability: CVE-2024-6409
Building on the initial disclosure, another related issue has been identified: CVE-2024-6409. This vulnerability also involves a race condition in OpenSSH, specifically within the privsep (privilege separation) child process. This vulnerability can lead to remote code execution (RCE) due to improper handling of signals.
Technical Details
The CVE-2024-6409 vulnerability arises from a race condition in signal handling within OpenSSH versions 8.7 and 8.8, particularly when the system invokes the cleanup_exit() function from within the grace_alarm_handler(). This function was not designed to be called from a signal handler and may invoke other functions that are not safe to use asynchronously. This issue is exacerbated by distribution-specific patches, such as those found in Red Hat’s OpenSSH packages for RHEL 9, which introduce additional code to cleanup_exit().
A signal handler race condition vulnerability was found in OpenSSH’s server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd’s SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). This issue leaves it vulnerable to a signal handler race condition on the cleanup_exit() function, which introduces the same vulnerability as CVE-2024-6387 in the unprivileged child of the SSHD server.
Impact and Exploitability
While the immediate impact of CVE-2024-6409 is lower compared to CVE-2024-6387, as it affects a child process with reduced privileges, it still presents a significant risk. Differences in the exploitability of these vulnerabilities in specific scenarios might make one more attractive to attackers. Moreover, mitigating one vulnerability without addressing the other can leave systems exposed.
As a consequence of a successful attack, in the worst case scenario, the attacker may be able to perform a remote code execution (RCE) within unprivileged user running the sshd server. This vulnerability affects only the sshd server shipped with Red Hat Enterprise Linux 9, while upstream versions of sshd are not impacted by this flaw.
Coordinated Disclosure and Analysis
This new issue was brought to the attention of major Linux distributions on June 26, 4. Qualys confirmed and completed the analysis on the same day. Although the analysis is ongoing, it has been established that the race condition and potential RCE in the privsep child process pose a considerable risk. This was not disclosed simultaneously with CVE-2024-6387 due to coordination with Red Hat, which had already begun addressing the earlier vulnerability.
Mitigation Strategies
Organizations should immediately consider implementing the following measures to mitigate the risks associated with these vulnerabilities:
- Patch Management: Update OpenSSH to the latest version that addresses these issues. For instance, replacing calls to cleanup_exit() with _exit(1) in affected versions can prevent exploitation.
- Configuration Adjustments: Set LoginGraceTime to 0 to mitigate the race condition and limit the window of opportunity for attacks.
- Access Controls: Restrict SSH access to trusted networks and implement strict authentication mechanisms, such as key-based authentication.
- Monitoring and Detection: Employ intrusion detection systems (IDS) to monitor for abnormal SSH activity and potential exploitation attempts.
Risk Information
CVSS v2:
- Base Score: 9
- Vector: CVSS2#AV/AC/Au/C/I/A
- Severity: High
CVSS v3:
- Base Score: 7
- Vector: CVSS:3.0/AV/AC/PR/UI/S/C/I/A
- Severity: High
About OpenSSH
OpenSSH continues to play a pivotal role in enabling secure communication across Unix-like systems. It remains a cornerstone of secure network management, providing robust encryption and authentication mechanisms essential for maintaining confidentiality and integrity in network operations globally. Despite vulnerabilities like ‘regreSSHion,’ OpenSSH’s commitment to security and ongoing community support underscores its critical importance in modern cybersecurity practices.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact
