A critical Remote Unauthenticated Code Execution (RCE) vulnerability has been discovered in OpenSSH’s server (sshd) on glibc-based Linux systems. This vulnerability, tracked as CVE-2024-6387, is due to a signal handler race condition, allowing remote attackers to execute arbitrary code as root without authentication.
Vulnerability Details
- CVE-2024-6387
- Type: Remote Unauthenticated Code Execution (RCE)
- Description: Signal handler race condition in OpenSSH’s server (sshd) on glibc-based Linux systems.
- Impact: Allows unauthenticated remote code execution as root, posing a critical security risk.
- Affected Systems: Default configurations of sshd on glibc-based Linux systems.
Exploitation Scope and Impact
- Potentially Vulnerable Instances:
- Over 14 million OpenSSH server instances are exposed to the Internet (based on Censys and Shodan data).
- Approximately 700,000 internet-facing instances are vulnerable (Qualys CSAM 3.0 data).
- 31% of all internet-facing instances with OpenSSH in the global customer base are vulnerable.
- 0.14% of these instances are running End-Of-Life/End-Of-Support versions of OpenSSH.
Technical Analysis
- Regressed from CVE-2006-5051: The current vulnerability is a regression of a previously patched issue from 2006. A regression occurs when a previously fixed flaw reappears in a subsequent software release, often due to updates or changes that inadvertently reintroduce the problem.
- Introduced in OpenSSH 8.5p1 (October 2020): The vulnerability resurfaced in this version due to the accidental removal of a critical component in a function.
- Complex Exploitation: The exploit involves a race condition, requiring precise timing and multiple attempts to succeed, potentially causing memory corruption and necessitating overcoming Address Space Layout Randomization (ASLR).
Active Exploits
- Public Exploits Available: Multiple exploits for CVE-2024-6387 are already available on the internet, including a proof-of-concept (PoC) hosted on GitHub .
Mitigation and Recommendations
- Patch Management:
- Immediate Action: Upgrade to the latest OpenSSH version 9.8p1, which addresses CVE-2024-6387.
- Configuration Change: If unable to update, set LoginGraceTime to 0 in the sshd configuration file to mitigate the risk (note: this exposes sshd to DoS by using up all MaxStartups connections).
- Enhanced Access Control:
- Limit SSH access through network-based controls to minimize exposure to potential attackers.
- Network Segmentation and Intrusion Detection:
- Implement network segmentation to restrict unauthorized lateral movements.
- Deploy intrusion detection systems to monitor for suspicious activities indicative of exploitation attempts.
Affected OpenSSH Versions
- Vulnerable Versions:
- Versions earlier than 4.4p1 (unless patched for CVE-2006-5051 and CVE-2008-4109).
- Versions from 8.5p1 up to, but not including, 9.8p1.
- Unaffected Versions:
- Versions from 4.4p1 up to, but not including, 8.5p1.
- OpenBSD systems (secured since 2001).
Potential Impact
Exploitation of CVE-2024-6387 could lead to:
- Full System Compromise: Attackers can execute arbitrary code with root privileges, resulting in complete system takeover.
- Malware Installation: Attackers could deploy malware to maintain persistent access.
- Data Breach: Unauthorized access to sensitive data, leading to potential data theft or public disclosure.
- Network Propagation: Use of compromised systems as footholds to exploit other vulnerable systems within the organization.
The regreSSHion vulnerability (CVE-2024-6387) in OpenSSH is a critical security threat that necessitates immediate remediation. Organizations must prioritize patching their OpenSSH installations, revising their security configurations, and implementing robust monitoring and access control measures to mitigate this risk. Despite the complexity of the exploit, the potential impact of successful exploitation underscores the urgency of addressing this vulnerability promptly.
