CVE-2024-6387 is a serious flaw affecting OpenSSH versions 8.5p1 to 9.7p1, discovered to be a regression of an 18-year-old issue (CVE-2006-5051). This vulnerability, a race condition in sshd's signal handler, permits remote code execution (RCE) with root privileges on glibc-based Linux systems, presenting a high risk of total system compromise. Organizations are recommended to patch OpenSSH instances as soon as possible.
Overview of the OpenSSH Vulnerability
OpenSSH is a collection of software tools that facilitate secure remote login through the SSH encryption protocol. The vulnerability, believed to impact 14 million internet-facing OpenSSH instances, could lead to a full system compromise and takeover, allowing threat actors to execute arbitrary code with the highest privileges, bypass security mechanisms, steal data, and maintain persistent access.
Exploiting CVE-2024-6387
At the time of publishing, the vulnerability is only known to impact versions between 8.5p1 and 9.7p1 on glibc-based Linux systems. While the vulnerability, a signal handler race condition, has only been shown to be exploitable in specific conditions, organizations should patch their OpenSSH instances as possible.
Race conditions occur when multiple processes access and manipulate shared resources concurrently without proper synchronization, leading to unpredictable behavior. In CVE-2024-6387, this manifests in the way OpenSSH's signal handling interacts with its processes, creating a window for exploitation.
Furthermore, in an advisory OpenSSH stated that “Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept."
Mitigating CVE-2024-6387
- Patch Systems: OpenSSH released version 9.8 on July 1, 2024, addressing this vulnerability. Ensure all systems are updated.
- Network Controls: Implement firewalls and intrusion detection/prevention systems to monitor and control SSH traffic, mitigating the risk of prolonged connections.
If you are unable to take these actions, this signal handler
race condition can be fixed by simply setting LoginGraceTime to 0 in the configuration file. This makes sshd vulnerable to a denial of service
(the exhaustion of all MaxStartups connections), but it makes it safe
from the remote code execution presented in this advisory.
CVE-2024-6387 poses a critical threat due to its potential for RCE with root privileges. Despite the complexity of exploitation, the severity of the impact necessitates prompt action. Updating to OpenSSH 9.8 and strengthening network defenses are essential steps in mitigating this risk.