Select versions of the OpenSSH secure networking suite are susceptible to a new vulnerability that can trigger remote code execution (RCE).
The vulnerability, tracked as CVE-2024-6409 (CVSS score: 7.0), is distinct from CVE-2024-6387 (aka RegreSSHion) and relates to a case of code execution in the privsep child process due to a race condition in signal handling. It only impacts versions 8.7p1 and 8.8p1 shipped with Red Hat Enterprise Linux 9.
Security researcher Alexander Peslyak, who goes by the alias Solar Designer, has been credited with discovering and reporting the bug, which was found during a review of CVE-2024-6387 after the latter was disclosed by Qualys earlier this month.
“The main difference from CVE-2024-6387 is that the race condition and RCE potential are triggered in the privsep child process, which runs with reduced privileges compared to the parent server process,” Peslyak said.
“So the immediate impact is lower. However, there may be differences in exploitability of these vulnerabilities in a particular scenario, which could make either one of these a more attractive choice for an attacker, and if only one of these is fixed or mitigated then the other becomes more relevant.”
However, it’s worth noting that the signal handler race condition vulnerability is the same as CVE-2024-6387, wherein if a client does not authenticate within LoginGraceTime seconds (120 by default), then the OpenSSH daemon process’ SIGALRM handler is called asynchronously, which then invokes various functions that are not async-signal-safe.
“This issue leaves it vulnerable to a signal handler race condition on the cleanup_exit() function, which introduces the same vulnerability as CVE-2024-6387 in the unprivileged child of the SSHD server,” according to the vulnerability description.
“As a consequence of a successful attack, in the worst case scenario, the attacker may be able to perform a remote code execution (RCE) within unprivileged user running the sshd server.”
An active exploit for CVE-2024-6387 has since been detected in the wild, with an unknown threat actor targeting servers primarily located in China.
“The initial vector of this attack originates from the IP address 108.174.58[.]28, which was reported to host a directory listing exploit tools and scripts for automating the exploitation of vulnerable SSH servers,” Israeli cybersecurity company Veriti said.