New OpenSSH Vulnerability May Lead to Remote Code Execution
July 10, 2024
A new vulnerability identified as CVE-2024-6409 has been discovered in OpenSSH, the secure networking suite. This flaw, which has a CVSS score of 7.0, affects versions 8.7p1 and 8.8p1 and can be exploited to achieve remote code execution (RCE). The issue lies in a potential race condition in the cleanup_exit() function in OpenSSH's privsep child. This function is called from the privsep child and appears to call the non-asynchronous safe do_cleanup(), but possibly only post authentication.
A signal handler race condition vulnerability was found in OpenSSH's server (sshd) in Red Hat Enterprise Linux 9. If a client does not authenticate within LoginGraceTime seconds, sshd's SIGALRM handler is called asynchronously. This handler calls various functions that are not async-signal-safe, such as syslog(). This leaves the system vulnerable to a signal handler race condition on the cleanup_exit() function, introducing the same vulnerability as CVE-2024-6387 in the unprivileged child of the SSHD server.
In the worst-case scenario, a successful attack could lead to remote code execution (RCE) within an unprivileged user running the sshd server. This vulnerability only affects the sshd server shipped with Red Hat Enterprise Linux 9, while upstream versions of sshd are not impacted by this flaw.
The vulnerability CVE-2024-6409 is distinct from CVE-2024-6387, also known as RegreSSHion, as the race condition and RCE potential in the former are triggered in the privsep child process, which operates with reduced privileges compared to the parent server process. This means the immediate impact is lower. However, the exploitability of these vulnerabilities could vary in different scenarios, making either one a more attractive choice for an attacker. If only one of these vulnerabilities is fixed or mitigated, the other becomes more relevant.
Related News
Latest News
- Microsoft's July Security Update Exploited by Attackers, Patch for 139 Unique CVEs Released
- Blast-RADIUS Attack Exploits RADIUS Authentication Protocol Vulnerability
- Global Cybersecurity Agencies Issue Joint Advisory on China-affiliated APT40's Quick Exploit Adaptation
- Ghostscript Library's RCE Bug Now Being Exploited in Attacks
- CISA Includes Cisco NX-OS Command Injection Vulnerability in its Known Exploited Vulnerabilities Catalog
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.