New OpenSSH Vulnerability May Lead to Remote Code Execution

July 10, 2024

A new vulnerability identified as CVE-2024-6409 has been discovered in OpenSSH, the secure networking suite. This flaw, which has a CVSS score of 7.0, affects versions 8.7p1 and 8.8p1 and can be exploited to achieve remote code execution (RCE). The issue lies in a potential race condition in the cleanup_exit() function in OpenSSH's privsep child. This function is called from the privsep child and appears to call the non-asynchronous safe do_cleanup(), but possibly only post authentication.

A signal handler race condition vulnerability was found in OpenSSH's server (sshd) in Red Hat Enterprise Linux 9. If a client does not authenticate within LoginGraceTime seconds, sshd's SIGALRM handler is called asynchronously. This handler calls various functions that are not async-signal-safe, such as syslog(). This leaves the system vulnerable to a signal handler race condition on the cleanup_exit() function, introducing the same vulnerability as CVE-2024-6387 in the unprivileged child of the SSHD server.

In the worst-case scenario, a successful attack could lead to remote code execution (RCE) within an unprivileged user running the sshd server. This vulnerability only affects the sshd server shipped with Red Hat Enterprise Linux 9, while upstream versions of sshd are not impacted by this flaw.

The vulnerability CVE-2024-6409 is distinct from CVE-2024-6387, also known as RegreSSHion, as the race condition and RCE potential in the former are triggered in the privsep child process, which operates with reduced privileges compared to the parent server process. This means the immediate impact is lower. However, the exploitability of these vulnerabilities could vary in different scenarios, making either one a more attractive choice for an attacker. If only one of these vulnerabilities is fixed or mitigated, the other becomes more relevant.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.