BLOGS

/

THREATS & VULNERABILITIES

THREATS & VULNERABILITIES

THREATS & VULNERABILITIES

[CVE-2024-6387]: OpenSSH RegreSSHion Vulnerability

Explore the 'RegreSSHion' vulnerability in OpenSSH on Linux to understand its impact and mitigation strategies.

Explore the 'RegreSSHion' vulnerability in OpenSSH on Linux to understand its impact and mitigation strategies.

Wednesday, 10 July, 2024

OpenSSH Vulnerability - Cyberware Hub
OpenSSH Vulnerability - Cyberware Hub
OpenSSH Vulnerability - Cyberware Hub

On July 1, 2024, a critical race condition vulnerability in the signal handler was discovered in OpenSSH servers (sshd) running on glibc-based Linux systems. This race condition can enables an attacker to inject and execute malicious code with root privileges, potentially leading to complete system compromise, unauthorized access, data breaches, and other severe security incidents.

Vulnerability Details

CVE ID: CVE-2024-6387 | Severity: 8.1

Description:
A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead to sshd to handle some signals in an unsafe manner. 
An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period

Vulnerability Background

OpenSSH (Open Secure Shell) is a suite of secure networking tools based on the SSH protocol, running on port 22. It provides secure remote login, file transfer, and other network services over unsecured networks. OpenSSH encrypts all traffic to prevent eavesdropping, connection hijacking, and other attacks, ensuring strong authentication and secure communications.

This vulnerability can be exploited remotely on glibc-based Linux systems due to syslog() calling async-signal-unsafe functions like malloc() and free(), leading to unauthenticated remote code execution with root privileges. This happens because sshd's privileged code is not sandboxed and runs with full privileges. OpenBSD is not vulnerable because its signal alarm (SIGALRM) handler uses syslog_r(), an async-signal-safe version of syslog().

This vulnerability affects the following OpenSSH server versions:
OpenSSH versions between 8.5p1 to 9.8p1.

OpenSSH versions earlier than 4.4p1 are also vulnerable if they haven't been patched for CVE-2006-5051 or CVE-2008-4109, as these vulnerabilities are similar in nature. 

Only glibc-based Linux systems are affected because the exploit relies on specific functionalities within glibc

However, successfully exploiting this weakness is difficult due to several reasons:

  • Specific Software: Only vulnerable OpenSSH versions running on glibc-based Linux systems are at risk.

  • Timing Challenge: Attackers need very precise timing to exploit the vulnerability's window.

  • Multiple Attempts: The random nature of the exploit often requires repeated tries.

  • Limited Scope: The exploit relies on specific features of glibc's memory allocation, making it less effective on other systems.

In conclusion, while the potential impact of CVE-2024-6387 is significant, the complexity of the exploit reduces the immediate widespread risk. Nonetheless, patching all vulnerable systems is essential to completely eliminate this threat. System administrators should prioritize updating OpenSSH on affected machines as soon as possible.

Happy Learning !!