Select versions of the OpenSSH secure networking suite are susceptible to a new vulnerability that can trigger remote code execution (RCE). The vulnerability tracked as CVE-2024-6409 (CVSS score: 7.0) is distinct from CVE-2024-6387 (aka RegreSSHion) and relates to a case of code execution in the privsep child process due to a race condition in signal handling. It only impacts versions 8.7p1 and 8.8p1 shipped with Red Hat Enterprise Linux 9. This vulnerability, if exploited, could lead to full system compromise where an attacker can execute arbitrary code with the highest privileges, resulting in a complete system takeover, installation of malware, data manipulation, and the creation of backdoors for persistent access.[1]
Security researcher Alexander Peslyak, who goes by the alias Solar Designer, has been credited with discovering and reporting the bug. It was found during a review of CVE-2024-6387 after Qualys disclosed it earlier this month. "The main difference from CVE-2024-6387 is that the race condition and RCE potential are triggered in the privsep child process, which runs with reduced privileges compared to the parent server process," Peslyak said.
"So, the immediate impact is lower. However, there may be differences in the exploitability of these vulnerabilities in a particular scenario, making either a more attractive choice for an attacker. If only one of these is fixed or mitigated, the other becomes more relevant."
It is worth noting that the signal handler race condition vulnerability is the same as CVE-2024-6387, wherein if a client does not authenticate within LoginGraceTime seconds (120 by default), then the OpenSSH daemon process' SIGALRM handler is called asynchronously, which then invokes various functions that are not async-signal-safe. This issue leaves it vulnerable to a signal handler race condition on the cleanup_exit() function, which introduces the same vulnerability as CVE-2024-6387 in the unprivileged child of the SSHD server, according to the vulnerability description. As a consequence of a successful attack, in the worst-case scenario, the attacker may be able to perform a remote code execution (RCE) within an unprivileged user running the sshd server.
An active exploit for CVE-2024-6387 has since been detected in the wild, with an unknown threat actor targeting servers primarily located in China. The initial vector of this attack originates from the IP address 108.174.58[.]28, which was reported to host a directory listing exploit tools and scripts for automating the exploitation of vulnerable SSH servers.
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://thehackernews.com/2024/07/new-openssh-vulnerability-discovered.html
Comments