Some versions of OpenSSH contain a serious vulnerability–distinct from CVE-2024-6387 disclosed last week–that can potentially remote code execution. The bug was discovered during the analysis of the other OpenSSH flaw last month, but was not disclosed at the same time because some of the affected vendors did not have a fix ready in time.
The newly disclosed vulnerability (CVE-2024-6409) is a race condition that in some cases will expose the same weakness as the CVE-2024-6387 bug.
“A signal handler race condition vulnerability was found in OpenSSH's server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). This issue leaves it vulnerable to a signal handler race condition on the cleanup_exit() function, which introduces the same vulnerability as CVE-2024-6387 in the unprivileged child of the SSHD server,” the vulnerability description says.
Security researcher Alexander Peslyak, known as Solar Designer, discovered the new bug while reviewing Qualys researchers’ analysis of the initial OpenSSH flaw late last month. The issues are related, but not identical, and the newer bug only affects OpenSSH 8.7 and 8.8.
“The main difference from CVE-2024-6387 is that the race condition and RCE potential are triggered in the privsep child process, which runs with reduced privileges compared to the parent server process. So immediate impact is lower. However, there may be differences in exploitability of these vulnerabilities in a particular scenario, which could make either one of these a more attractive choice for an attacker, and if only one of these is fixed or mitigated then the other becomes more relevant. In particular, the "LoginGraceTime 0" mitigation works against both issues, whereas the "-e" mitigation only works against CVE-2024-6387 and not (fully) against CVE-2024-6409,” Solar Designer’s advisory says.
On July 1, Qualys researchers disclosed the details of CVE-2024-6387, which is also a race condition, and can lead to remote unauthenticated code execution. The bug is a regression that was introduced in 2020 after initially being fixed in 2006. CVE-2024-6387, nicknamed regreSSHion, affected more version of OpenSSH than the newer vulnerability.
“This vulnerability, if exploited, could lead to full system compromise where an attacker can execute arbitrary code with the highest privileges, resulting in a complete system takeover, installation of malware, data manipulation, and the creation of backdoors for persistent access. It could facilitate network propagation, allowing attackers to use a compromised system as a foothold to traverse and exploit other vulnerable systems within the organization,” the Qualys advisory says.
Affected vendors released fixes for CVE-2024-6387 as part of the disclosure last week.