New OpenSSH Vulnerability CVE-2024-6409 Exposes Systems to RCE Attack

Security researchers have discovered a new vulnerability in OpenSSH, identified as CVE-2024-6409, which could potentially allow remote code execution attacks on affected systems.

This vulnerability, which affects OpenSSH versions 8.7 and 8.8, allows for potential remote code execution (RCE) due to a race condition in signal handling within the privilege separation (privsep) child process.

EHA

OpenSSH Vulnerability CVE-2024-6409

The vulnerability was publicly disclosed on July 8, 2024, following an in-depth analysis by Qualys following the previous vulnerability CVE-2024-6387 and further review by security researchers.

CVE-2024-6409 is a race condition in the grace_alarm_handler() function, which improperly calls cleanup_exit() from within a signal handler. This function is not safe to call in such a context as it may invoke other functions that are not async-signal-safe, leading to potential security risks.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

The issue is particularly concerning for systems running OpenSSH versions 8.7 and 8.8, as well as their corresponding portable releases. The vulnerability is exacerbated by certain downstream patches, such as the openssh-7.6p1-audit.patch found in Red Hat’s package of OpenSSH, which adds additional code to cleanup_exit() that can trigger the vulnerability.

The key distinction from CVE-2024-6387 lies in the fact that the race condition and potential for remote code execution (RCE) are initiated in the privsep child process. This process operates with limited privileges in comparison to the parent server process. Consequently, the immediate impact is reduced.

While the immediate impact of CVE-2024-6409 is somewhat mitigated by the fact that the race condition and RCE potential are triggered in the privsep child process, which operates with reduced privileges compared to the parent server process, the vulnerability still poses a significant risk.

The privsep child process is designed to limit the damage that can be done if it is compromised, but the potential for remote code execution remains a serious threat.

Mitigation and Patching

Security experts recommend immediate action to mitigate the risks associated with CVE-2024-6409. The following steps are advised:

  • Apply Patches: Ensure that all affected systems are updated with the latest patches. Rocky Linux, for example, has already released a patch for this vulnerability.
  • Configuration Adjustments: Implement mitigations such as setting LoginGraceTime to 0, which can help prevent the exploitation of this and similar vulnerabilities.
  • Monitoring and Alerts: Increase monitoring for unusual activity, particularly around authentication attempts and signal handling within the SSH daemon.

This disclosure follows the disclosure of another critical OpenSSH vulnerability, CVE-2024-6387, also known as “RegreSSHion,” on July 1, 2024. CVE-2024-6387 is a signal handler race condition that can lead to unauthenticated remote code execution with root privileges on glibc-based Linux systems.

The discovery of CVE-2024-6409 highlights the ongoing challenges in maintaining secure software environments, particularly in widely used tools like OpenSSH.

Organizations are urged to apply patches promptly, review their security configurations, and stay informed about the latest vulnerabilities and mitigation strategies.

For more detailed information on the vulnerability and the patches available, please refer to the official security advisories and updates from your software vendors.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.