OpenSSH maintainers have released security updates to address a critical vulnerability, CVE-2024-6387, which allows unauthenticated remote code execution with root privileges on glibc-based Linux systems. The flaw exists in the OpenSSH server component, sshd, and is due to a signal handler race condition that can be exploited in its default configuration. This vulnerability affects versions from 8.5p1 to 9.7p1, and it is a regression of a previously patched issue tracked as CVE-2006-5051, reintroduced in October 2020 with OpenSSH version 8.5p1.
Cybersecurity firm Qualys has identified up to 14 million potentially vulnerable OpenSSH server instances exposed to the internet. Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with address space layout randomization (ASLR), requiring an average of 6-8 hours of continuous connections to achieve. Notably, OpenBSD systems are not affected due to a specific security mechanism that blocks the flaw. Qualys emphasizes the importance of thorough regression testing to prevent the reintroduction of known vulnerabilities.
The vulnerability is triggered if a client fails to authenticate within 120 seconds, leading to an unsafe call of sshd’s SIGALRM handler. The impact of exploiting CVE-2024-6387 includes full system compromise and takeover, enabling threat actors to execute arbitrary code with the highest privileges. This can result in the subversion of security mechanisms, data theft, and persistent access to the compromised systems. The issue underscores the critical need for comprehensive security measures and regular updates.
To mitigate the risk, users are strongly advised to apply the latest patches provided by OpenSSH maintainers. Additionally, limiting SSH access through network-based controls and enforcing network segmentation are recommended to restrict unauthorized access and lateral movement. The incident highlights the vital role of continuous security vigilance and the implementation of robust protective measures to safeguard against evolving threats.
Reference:
