Select versions of the OpenSSH secure networking suite are vulnerable to a newly discovered flaw that can lead to remote code execution (RCE).
Tracked as CVE-2024-6409 (CVSS score: 7.0), this vulnerability is different from CVE-2024-6387 (also known as RegreSSHion) and involves code execution in the privsep child process due to a race condition in signal handling. It affects only versions 8.7p1 and 8.8p1 shipped with Red Hat Enterprise Linux 9.
Security researcher Alexander Peslyak, alias Solar Designer, discovered and reported the bug during a review of CVE-2024-6387, which was disclosed by Qualys earlier this month.
“The main difference from CVE-2024-6387 is that the race condition and RCE potential occur in the privsep child process, which operates with reduced privileges compared to the parent server process,” Peslyak explained.
“This results in a lower immediate impact. However, the exploitability of these vulnerabilities can vary in specific scenarios, potentially making one more attractive to an attacker. If only one vulnerability is fixed or mitigated, the other becomes more relevant.”
It’s important to note that the signal handler race condition vulnerability is similar to CVE-2024-6387. If a client fails to authenticate within LoginGraceTime seconds (120 by default), the OpenSSH daemon process’s SIGALRM handler is called asynchronously, invoking various functions that are not async-signal-safe.
“This leaves it vulnerable to a signal handler race condition on the cleanup_exit() function, creating the same vulnerability as CVE-2024-6387 in the unprivileged child of the SSHD server,” according to the vulnerability description.
In the worst-case scenario, a successful attack could allow the attacker to perform remote code execution (RCE) within the unprivileged user running the sshd server.
An active exploit for CVE-2024-6387 has been detected in the wild, with an unknown threat actor targeting servers primarily located in China.
“The initial vector of this attack originates from the IP address 108.174.58[.]28, which was reported to host a directory listing exploit tools and scripts for automating the exploitation of vulnerable SSH servers,” Israeli cybersecurity company Veriti said.