CVE-2024-6409 affects OpenSSH, renewing focus on the embattled networking tool. Here's what you need to know.
Following the publication of CVE-2024-6387, OpenSSH, a cornerstone of secure network communications, has recently been hit by yet another new critical vulnerability, CVE-2024-6409. This flaw, discovered by cyber security experts, poses a significant risk to systems running specific versions of OpenSSH.
Here’s everything you need to know:
Affected products: |
OpenSSH versions 8.7 and 8.8, |
Product category: |
Server & network |
Severity: |
High |
Type: |
Signal handler race condition vulnerability |
Impact: |
Remote code execution (RCE) within the context of the unprivileged user running the SSHD server. |
PoC: |
No current availability |
Exploit in the wild |
No current evidence |
CISA Catalog |
No |
Remediation action |
Upgrade to OpenSSH 9.4 or later |
MITRE advisory |
CVE-2024-6409 is a critical vulnerability in OpenSSH, identified as a signal handler race condition. Alexander Peslyak, also known as Solar Designer, identified and reported the vulnerability. His discovery came during a review of is distinct from CVE-2024-6387 (aka RegreSSHion) which had been disclosed by Qualys earlier this month.
In his disclosure, Peslyak writes: “The main difference from CVE-2024-6387 is that the race condition and RCE potential are triggered in the privsep child process, which runs with reduced privileges compared to the parent server process”.
“So the immediate impact is lower. However, there may be differences in exploitability of these vulnerabilities in a particular scenario, which could make either one of these a more attractive choice for an attacker, and if only one of these is fixed or mitigated then the other becomes more relevant.”
Nevertheless, it’s important also to note that t he signal handler race condition vulnerability in CVE-2024-6409 mirrors CVE-2024-6387. If a client fails to authenticate within the LoginGraceTime (default: 120 seconds), the OpenSSH daemon’s SIGALRM handler is called asynchronously, invoking non-async-signal-safe functions.
This issue makes the cleanup_exit() function vulnerable to a signal handler race condition, similar to CVE-2024-6387, in the unprivileged SSHD server child process.
CVE-2024-6409 could enable remote code execution (RCE) within the unprivileged user running the SSHD server. Notably, an active exploit for CVE-2024-6387 has been observed, with an attack vector originating from IP address 108.174.58[.]28, which hosts exploit tools and scripts, primarily targeting servers in China, as reported by Israeli cyber security company Veriti.
With a CVSS score of 7.0, this flaw relates to a case of code execution in the privsep child process due to a race condition in signal handling. It only impacts versions 8.7p1 and 8.8p1 shipped with Red Hat Enterprise Linux 9.
OpenSSH is widely used for secure network operations, but this vulnerability affects versions from 8.5p1 to 9.8p1 on glibc-based Linux systems. The issue arises when the LoginGraceTime parameter, which defaults to 120 seconds, expires without successful client authentication.
The server’s signal handler (SIGALRM) is triggered to close the connection but calls functions like syslog(), which are unsafe to execute in this asynchronous context. This leads to potential heap corruption and allows an attacker to execute arbitrary code with root privileges.
If you are running OpenSSH versions 8.5p1 to 9.8p1 on a glibc-based Linux system, you are vulnerable to CVE-2024-6409. Earlier versions before 4.4p1 and versions between 4.4p1 and 8.5p1 are not vulnerable if they were patched against a similar issue from 2006 (CVE-2006-5051). OpenBSD systems are not affected by this vulnerability.
As of the latest reports, there is no confirmed evidence that CVE-2024-6409 has been actively exploited in the wild. However, given the critical nature of this vulnerability, it is crucial to apply patches immediately to prevent potential exploitation. Cyber security firms like Oligo Security and Qualys have emphasized the importance of timely remediation to protect against possible threats.
Both CVE-2024-6409 and CVE-2024-6387 (dubbed ‘regreSSHion’) are critical vulnerabilities in OpenSSH, but they differ in their specifics. CVE-2024-6387 is a regression of a signal handler race condition in OpenSSH’s server, affecting versions 8.5p1 to 9.8p1.
This issue involves unsafe operations in the signal handler, leading to heap corruption and potential arbitrary code execution. On the other hand, CVE-2024-6409 involves a similar race condition but affects a broader range of OpenSSH versions and requires different remediation steps. Both vulnerabilities underscore the need for vigilant patching and robust security practices.
Additionally, the attack vector of the vulnerabilities have different severtities and vector parameters: While all Impact vector parameters for CVE-2024-6387 are categorized “High”, impact metrics of CVE-2024-6409 are Confidentiality (C): High, Integrity (I): Low, Availability (A): Low
To mitigate the risk posed by CVE-2024-6409, administrators should take the following steps:
Each new vulnerability is a reminder of where we stand and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: