New vulnerability in OpenSSH could lead to remote code execution

[ad_1]

New vulnerability in OpenSSH could lead to remote code execution

Pierluigi Paganini
July 10, 2024

A vulnerability affects certain versions of the OpenSSH secure networking suite that could potentially lead to remote code execution.

The vulnerability CVE-2024-6409 (CVSS Score: 7.0) affects certain versions of the OpenSSH secure networking suite, it can be exploited to achieve remote code execution (RCE).

THE the problem is a possible race condition in cleanup_exit() in the openssh privsep child that affects openssh versions 8.7p1 and 8.8p1. `cleanup_exit()` is called from the privsep child, which appears to call the secure non-asynchronous `do_cleanup()`, but perhaps only after authentication (`the_authctxt != NULL`).

“A signal handler race condition vulnerability has been found in the OpenSSH server (sshd) in Red Hat Enterprise Linux 9, where a client fails to authenticate within LoginGraceTime seconds (120 by default, 600 in older versions of OpenSSH), and then the sshd SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not safe with asynchronous signals, for example, syslog(). This issue makes it vulnerable to a signal handler race condition on the cleanup_exit() function, which introduces the same vulnerability as CVE-2024-6387 in the unprivileged child of the SSHD server. As a result of a successful attack, in the worst case, the attacker may be able to perform remote code execution (RCE) within an unprivileged user running the sshd server.” read the review“This vulnerability only affects the sshd server that ships with Red Hat Enterprise Linux 9, while upstream versions of sshd are not affected by this flaw.”

CVE-2024-6409 is distinct from CVE-2024-6387 (aka RegreSSHion) because in the former, the race condition and potential RCE are triggered in the privsep child process, which runs with reduced privileges compared to the parent server process.

CVE-2024-6409 vulnerability only affects the sshd server provided in RHEL 9, while upstream versions of sshd are not affected.

“The main difference from CVE-2024-6387 is that the race condition and remote code execution risk are triggered in the privsep child process, which runs with reduced privileges compared to the parent server process. Therefore, the immediate impact is less.” read the review. “The immediate impact is therefore less. However, there may be differences in the exploitability of these vulnerabilities in a particular scenario, which could make one or the other a more attractive choice for an attacker, and if only one of these vulnerabilities is fixed or mitigated, the other becomes more relevant.”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs And Facebook And Mastodon

(Security Affairs hacking, RCE)



Leave a Comment