OpenSSH maintainers have released security updates to contain a critical security flaw that could result in unauthenticated remote code execution with root privileges in glibc-based Linux systems.
The vulnerability, codenamed regreSSHion, has been assigned the CVE identifier CVE-2024-6387. It resides in the OpenSSH server component, also known as sshd, which is designed to listen for connections from any of the client applications.
"The vulnerability, which is a signal handler race condition in OpenSSH's server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems," Bharat Jogi, senior director of the threat research unit at Qualys, said in a disclosure published today. "This race condition affects sshd in its default configuration."
The cybersecurity firm said it identified no less than 14 million potentially vulnerable OpenSSH server instances exposed to the internet, adding it's a regression of an already patched 18-year-old flaw tracked as CVE-2006-5051, with the problem reinstated in October 2020 as part of OpenSSH version 8.5p1.
"Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with [address space layout randomization]," OpenSSH said in an advisory. "Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept."
The vulnerability impacts versions between 8.5p1 and 9.7p1. Versions prior 4.4p1 are also vulnerable to the race condition bug unless they are patched for CVE-2006-5051 and CVE-2008-4109. It's worth noting that OpenBSD systems are unaffected as they include a security mechanism that blocks the flaw.
It is likely that the security shortcoming also affects both macOS and Windows, although its exploitability on these platforms remains unconfirmed and requires more analysis.Specifically, Qualys found that if a client does not authenticate within 120 seconds (a setting defined by LoginGraceTime), then sshd's SIGALRM handler is called asynchronously in a manner that's not async-signal-safe.
The net effect of exploiting CVE-2024-6387 is a full system compromise and takeover, enabling threat actors to execute arbitrary code with the highest privileges, subvert security mechanisms, data theft, and even maintain persistent access.
"A flaw, once fixed, has reappeared in a subsequent software release, typically due to changes or updates that inadvertently reintroduce the issue," Jogi said. "This incident highlights the crucial role of thorough regression testing to prevent the reintroduction of known vulnerabilities into the environment."
While the vulnerability has significant roadblocks due to its remote race condition nature, users are recommended to apply the latest patches to secure against potential threats. It's also advised to limit SSH access through network-based controls and enforce network segmentation to restrict unauthorized access and lateral movement.
Update
Cybersecurity firms Palo Alto Networks Unit 42 and Wiz have said the vulnerability is unlikely to be subjected to widespread or opportunistic exploitation, given that an attacker must know in advance what Linux distribution they are targeting in order to build a functional exploit.
Another factor that's likely to prevent it from being mass exploited is the fact that the attack can take as long as eight hours to complete and require as many as 10,000 authentication steps, as pointed out by Kaspersky, although it doesn't rule out the possibility of a highly-targeted exploitation.
"The specific nature of the race condition and its exploitation require a significant number of attempts to achieve successful execution, with varying success rates depending on the version and environment," Oligo said.
Akamai, in its own advisory, noted that the root cause of the issue is a race condition caused by unsafe handling of signals when user authentication times out.
"Upon timeout, a SIGALRM signal is generated, which causes an interrupt to a thread that is executing a heap management routine," it explained. "If the signal handler itself calls the heap management routine, it could cause unexpected behavior and, in this case, execute arbitrary code."
OpenSSF's Omkhar Arasaratnam said the OpenSSH vulnerability highlights the importance of adhering to secure development practices in open-source, particularly in "long-standing projects that are foundational for companies worldwide."
"This is also a reminder that not all vulnerabilities are caused maliciously, like we saw recently with XZ Utils," he said. "Code regressions are common, which is why continual, thorough testing is a crucial step that cannot be overlooked."
"The open-source community must also remain vigilant in evaluating the open source code they are using, staying on top of updates, and adhering to the principles of secure software development."
A Number of Cisco Products Found Vulnerable
Cisco has revealed that several of its products are vulnerable to CVE-2024-6387 (CVSS score: 8.1) and that it's planning to release software updates over the next couple of months.
