Vulnerabilities

CVE-2024-6387 Race Condition in Signal Handling for OpenSSH

Written by Critical Insight | Jul 1, 2024 10:18:47 PM

This advisory is for organizations that use Openssh within their environment as a network utility.  If your organization does not use this suite, this notification may be discarded. 

UPDATE: 

It was noted that Windows runs a version of SSH on desktops and servers. 

We haven’t seen anything from Microsoft addressing this vulnerability as of yet.  Windows versions can be checked from a command line prompt using “ssh -V”. 

This vulnerability works because sshd is listening for incoming requests.  Most desktop versions of Windows should not be exposed to the internet in this way.  Server versions that are accepting incoming requests may be in scope of this vulnerability and may require mitigating controls. 

From our research, it appears that Microsoft updates SSH through regular Windows updates and as such is several versions behind (the instance we looked at with all applied updates is version OpenSSH_for_Windows_8.1p1.)  That should be considered prior to exposing SSH on Windows Server to the internet. 

OpenSSH can be managed using a GPO as noted at https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh-group-policy

Summary

Qualys discovered a vulnerability present in OpenSSH’s server (sshd) which allows an attacker to attempt to achieve unauthenticated remote code execution (RCE) as root by winning a race condition in sshd.  "Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with [address space layout randomization]," OpenSSH said in an advisory. "Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept." Exploitation on 64-bit systems is believed to be possible but has not been demonstrated at this time. It's likely that these attacks will be improved upon.

 

OpenSSH continues in the advisory: “Exploitation on non-glibc systems is conceivable but has not been examined. Systems that lack ASLR or users of downstream Linux distributions that have modified OpenSSH to disable per-connection ASLR re-randomisation (yes - this is a thing, no - we don't understand why) may potentially have an easier path to exploitation.”

 

CVE-2024-6387: CVSSv3.1: 8.1

               Openssh: Possible Remote Code Execution Due To A Race Condition In Signal Handling

 

Affected Platforms

  • OpenSSH versions earlier than 4.4p1 are vulnerable to this signal handler race condition unless they are patched for CVE-2006-5051 and CVE-2008-4109.
  • Versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable due to a transformative patch for CVE-2006-5051, which made a previously unsafe function secure.
  • The vulnerability resurfaces in versions from 8.5p1 up to, but not including, 9.8p1 due to the accidental removal of a critical component in a function.
  • OpenBSD is not vulnerable.

 

Mitigations

  • Patch Management: Check any exposed Linux glibc systems running OpenSSH and patch them if they are vulnerable.
  • Enhanced Access Control: Limit SSH access through network-based controls to minimize the attack risks.
  • Network Segmentation and Intrusion Detection: Divide networks to restrict unauthorized access and lateral movements within critical environments and deploy systems to monitor and alert on unusual activities indicative of exploitation attempts.

 

Additional Resources

https://www.openssh.com/releasenotes.html

https://www.bleepingcomputer.com/news/security/new-regresshion-openssh-rce-bug-gives-root-on-linux-servers/

https://www.cve.org/CVERecord?id=CVE-2024-6387

https://thehackernews.com/2024/07/new-openssh-vulnerability-could-lead-to.html