A new flaw in OpenSSH can lead to remote code execution

Pierluigi Paganini July 10, 2024

A vulnerability affects some versions of the OpenSSH secure networking suite, it can potentially lead to remote code execution.

The vulnerability CVE-2024-6409 (CVSS score: 7.0) impacts select versions of the OpenSSH secure networking suite, it can be exploited to achieve remote code execution (RCE).

The issue is a possible race condition in cleanup_exit() in openssh’s privsep child that impacts openssh versions 8.7p1 and 8.8p1. `cleanup_exit()` gets called from the privsep child, which appears to call the non-asynchronous safe `do_cleanup()`, but possibly only post authentication (`the_authctxt != NULL`).

“A signal handler race condition vulnerability was found in OpenSSH’s server (sshd) in Red Hat Enterprise Linux 9, where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd’s SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). This issue leaves it vulnerable to a signal handler race condition on the cleanup_exit() function, which introduces the same vulnerability as CVE-2024-6387 in the unprivileged child of the SSHD server. As a consequence of a successful attack, in the worst case scenario, the attacker may be able to perform a remote code execution (RCE) within unprivileged user running the sshd server.” reads the advisory. “This vulnerability affects only the sshd server shipped with Red Hat Enterprise Linux 9, while upstream versions of sshd are not impact by this flaw.”

The vulnerability CVE-2024-6409 is distinct from CVE-2024-6387 (aka RegreSSHion) because in the former the race condition and RCE potential are triggered in the privsep child process, which runs with reduced privileges compared to the parent server process.

The CVE-2024-6409 vulnerability affects only the sshd server shipped in RHEL 9, while the upstream versions of sshd are not impacted.

“The main difference from CVE-2024-6387 is that the race condition and RCE potential are triggered in the privsep child process, which runs with reduced privileges compared to the parent server process. So immediate impact is lower.” reads the advisory. ” So immediate impact is lower. However, there may be differences in exploitability of these vulnerabilities in a particular scenario, which could make either one of these a more attractive choice for an attacker, and if only one of these is fixed or mitigated then the other becomes more relevant.”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, RCE)



you might also like

leave a comment