Overview
- Vulnerable Platform: OpenSSH’s server (sshd)
- Vulnerable Versions: 8.5p1 to 9.7p1
- Patch Release Date: July 11, 2024
- Vulnerability Type: Remote Code Execution (RCE)
- CVSSv3 Score: 8.1 (High)
- Exploit Status: Proof of Concept (POC) released; no successful exploitation observed in the wild.
Technical Description
CVE-2024-6387 is a critical Remote Code Execution (RCE) vulnerability identified in the OpenSSH server (sshd). OpenSSH is a part of suite OpenSSH and its server-side component that listens to clients’ incoming SSH connections.
This vulnerability follows a similar critical flaw recently discovered in the XZ Utils library, which also impacted OpenSSH. Despite the severity of CVE-2024-6387, it remains challenging to exploit, and there have been no confirmed incidents of this vulnerability being successfully used in an attack.
Vulnerable Versions
CVE-2024-6387 affects sshd versions 8.5p1 through 9.7p1 on glibc-based Linux distributions. Detecting sshd version on systems is possible using the following command:
ssh -V
Vulnerability details
The flaw occurs during the SSH authentication process, specifically within the LoginGraceTime parameter, which is set to 120 seconds by default. If authentication is not completed within this period, the sigalarm function triggers, which then calls system-level memory management functions. The issue arises because sigalarm calls functions like syslog() that are not async-signal-safe, leading to potential race conditions.
A race condition occurs when multiple processes or threads access shared resources concurrently, potentially causing unexpected behavior. In this case, the race condition could lead to memory corruption and arbitrary code execution.
This vulnerability was previously identified and mitigated in versions prior to 4.4p1. However, the flaw resurfaced in versions 8.5p1 through 9.7p1 due to the removal of a critical preprocessor directive within the sigdie() function. sigdie() is a function that is called directly by SIGALRM controller:
#ifdef DO_LOG_SAFE_IN_SIGHAND
Versions 4.4p1 through 8.5p1 are unaffected by this vulnerability due to the inclusion of the aforementioned preprocessor command within the sigdie() function, introduced in the patch addressing CVE-2006-5051. This command ensures the insecure function is safely redirected to the secure exit(1) call. As a result, the new vulnerability is considered a regression, aptly named “regreSSHion.
The vulnerability is exploitable only on glibc-based Linux systems, where syslog() invokes async-signal-unsafe functions such as malloc() and free(). Exploiting this vulnerability requires an attacker to attempt roughly 10,000 connections on average. Notably, OpenBSD is immune to this vulnerability due to its use of the safer syslog_r() function in its SIGALRM handler.
How to patch the vulnerability
To mitigate this vulnerability, it is strongly recommended to apply the security patch released on July 11, 2024. The patch is available on the official OpenSSH website:
https://www.openssh.com
Mitigation Measures
While applying the patch is the most effective solution, organizations unable to do so immediately should consider the following temporary measures:
- Firewall Configuration: Use firewall rules to restrict SSH access to trusted IP addresses.
- Network Segmentation: Implement network segmentation to prevent unauthorized access and limit lateral movement.
- LoginGraceTime Adjustment: Temporarily set LoginGraceTime to zero to mitigate the risk. However, note that this increases the server’s susceptibility to DDoS attacks.