Get a demo

Voyager18 (research)

CVE-2024-6409: Yet another OpenSSH vulnerability

CVE-2024-6409 affects OpenSSH, renewing focus on the embattled networking tool. Here's what you need to know.

Yair Divinsky | July 10, 2024

Following the publication of CVE-2024-6387, OpenSSH, a cornerstone of secure network communications, has recently been hit by yet another new critical vulnerability, CVE-2024-6409. This flaw, discovered by cyber security experts, poses a significant risk to systems running specific versions of OpenSSH.

Here’s everything you need to know:

CVE-2024-6409: TL;DR

Affected products: 

OpenSSH versions 8.7 and 8.8, 

Product category: 

Server & network

Severity: 

High 

Type: 

Signal handler race condition vulnerability

Impact: 

Remote code execution (RCE) within the context of the unprivileged user running the SSHD server.

PoC: 

No current availability

Exploit in the wild 

No current evidence 

CISA Catalog 

No 

Remediation action 

Upgrade to OpenSSH 9.4 or later 

MITRE advisory 

Read more 

 

What is CVE-2024-6409?

CVE-2024-6409 is a critical vulnerability in OpenSSH, identified as a signal handler race condition. Alexander Peslyak, also known as Solar Designer, identified and reported the vulnerability. His discovery came during a review of is distinct from CVE-2024-6387 (aka RegreSSHion) which had been disclosed by Qualys earlier this month. 

In his disclosure, Peslyak writes: “The main difference from CVE-2024-6387 is that the race condition and RCE potential are triggered in the privsep child process, which runs with reduced privileges compared to the parent server process”. 

“So the immediate impact is lower. However, there may be differences in exploitability of these vulnerabilities in a particular scenario, which could make either one of these a more attractive choice for an attacker, and if only one of these is fixed or mitigated then the other becomes more relevant.” 

Nevertheless, it’s important also to note that t he signal handler race condition vulnerability in CVE-2024-6409 mirrors CVE-2024-6387. If a client fails to authenticate within the LoginGraceTime (default: 120 seconds), the OpenSSH daemon’s SIGALRM handler is called asynchronously, invoking non-async-signal-safe functions.

This issue makes the cleanup_exit() function vulnerable to a signal handler race condition, similar to CVE-2024-6387, in the unprivileged SSHD server child process. 

CVE-2024-6409 could enable remote code execution (RCE) within the unprivileged user running the SSHD server. Notably, an active exploit for CVE-2024-6387 has been observed, with an attack vector originating from IP address 108.174.58[.]28, which hosts exploit tools and scripts, primarily targeting servers in China, as reported by Israeli cyber security company Veriti. 

With a CVSS score of 7.0, this flaw relates to a case of code execution in the privsep child process due to a race condition in signal handling. It only impacts versions 8.7p1 and 8.8p1 shipped with Red Hat Enterprise Linux 9. 

OpenSSH is widely used for secure network operations, but this vulnerability affects versions from 8.5p1 to 9.8p1 on glibc-based Linux systems. The issue arises when the LoginGraceTime parameter, which defaults to 120 seconds, expires without successful client authentication.

The server’s signal handler (SIGALRM) is triggered to close the connection but calls functions like syslog(), which are unsafe to execute in this asynchronous context. This leads to potential heap corruption and allows an attacker to execute arbitrary code with root privileges. 

 

Does CVE-2024-6409 affect me?

If you are running OpenSSH versions 8.5p1 to 9.8p1 on a glibc-based Linux system, you are vulnerable to CVE-2024-6409. Earlier versions before 4.4p1 and versions between 4.4p1 and 8.5p1 are not vulnerable if they were patched against a similar issue from 2006 (CVE-2006-5051). OpenBSD systems are not affected by this vulnerability.

 

Has CVE-2024-6409 been actively exploited in the wild?

As of the latest reports, there is no confirmed evidence that CVE-2024-6409 has been actively exploited in the wild. However, given the critical nature of this vulnerability, it is crucial to apply patches immediately to prevent potential exploitation. Cyber security firms like Oligo Security and Qualys have emphasized the importance of timely remediation to protect against possible threats. 

Both CVE-2024-6409 and CVE-2024-6387 (dubbed ‘regreSSHion’) are critical vulnerabilities in OpenSSH, but they differ in their specifics. CVE-2024-6387 is a regression of a signal handler race condition in OpenSSH’s server, affecting versions 8.5p1 to 9.8p1.

This issue involves unsafe operations in the signal handler, leading to heap corruption and potential arbitrary code execution. On the other hand, CVE-2024-6409 involves a similar race condition but affects a broader range of OpenSSH versions and requires different remediation steps. Both vulnerabilities underscore the need for vigilant patching and robust security practices. 

Additionally, the attack vector of the vulnerabilities have different severtities and vector parameters: While all Impact vector parameters for CVE-2024-6387 are categorized “High”, impact metrics of CVE-2024-6409 are Confidentiality (C): High, Integrity (I): Low, Availability (A): Low 

 

 

How to fix CVE-2024-6409

To mitigate the risk posed by CVE-2024-6409, administrators should take the following steps: 

  1. Upgrade OpenSSH – Apply the fix available in the latest OpenSSH release. This patch ensures that only safe operations are performed in the signal handler context, preventing potential heap corruption. 
  2. Temporary workaround – If upgrading is not immediately possible, a temporary workaround is to set LoginGraceTime to 0 in the OpenSSH configuration file. This prevents unauthenticated sessions from being kept open but may lead to denial of service if all connection slots are used. 
  3. Monitoring and detection – Use security tools like Oligo ADR to detect anomalies in application behavior, which can indicate attempts to exploit the vulnerability. These tools can provide insights into the specific functions being targeted and help in proactive mitigation. 

 

Further reading

Each new vulnerability is a reminder of where we stand and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: 

  1. Q1 2024 Vulnerability Watch
  2. The MITRE ATT&CK framework: Getting started
  3. The true impact of exploitable vulnerabilities for 2024
  4. Vulnerability disclosure policy (and how to get it right)
  5. How to properly tackle zero-day threats

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

“The only free RBVM tool out there The only free RBVM tool lorem ipsum out there. The only”.

Name Namerson
Head of Cyber Security Strategy

strip-img-2.png