Remote Unauthenticated Code Execution – Critical vulnerability in OpenSSH that affects almost all Linux systems [CVE-2024-6387]

CVE number = CVE-2024-6387

The Qualys Threat Research Unit (TRU) has identified a Remote Unauthenticated Code Execution (RCE) vulnerability in OpenSSH’s server (sshd) on glibc-based Linux systems.

An attacker could potentially gain full control of the affected system, executing arbitrary code with root privileges. This could enable the installation of malware, creation of backdoors, and the exfiltration or manipulation of data. Additionally, with root privileges, the intruder could disable or bypass critical security systems to maintain a persistent presence.

According to Bharat Jogi, senior director at Qualys TRU, in a post on the company’s website, the vulnerability is “a signal handler race condition in OpenSSH’s server (sshd).” This race condition impacts sshd in its default configuration.

Fortunately, as a race condition, it is not easy to exploit, often requiring multiple attempts for a successful attack. “This can cause memory corruption and necessitate overcoming Address Space Layout Randomization (ASLR).”

Affected OpenSSH versions:

• OpenSSH versions earlier than 4.4p1 are vulnerable to this signal handler race condition unless they are patched for CVE-2006-5051 and CVE-2008-4109.
• Versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable due to a transformative patch for CVE-2006-5051, which made a previously unsafe function secure.
• The vulnerability resurfaces in versions from 8.5p1 up to, but not including, 9.8p1 due to the accidental removal of a critical component in a function.

OpenBSD systems are unaffected by this bug, as OpenBSD developed a secure mechanism in 2001 that prevents this vulnerability.

You can read the full Qualys report here – https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server