Zscaler Blog
Get the latest Zscaler blog updates in your inbox
SubscribeOpenSSH Vulnerabilities CVE-2024-6387 & CVE-2024-6409 Pose A Significant Security Risk
Introduction
On July 1, 2024, researchers identified a critical security vulnerability in OpenSSH's server (sshd) running on glibc-based Linux systems. This vulnerability, assigned the CVE identifier CVE-2024-6387 (also known as regreSSHion), enables remote unauthenticated code execution (RCE) as the root user. By exploiting a signal handler race condition in sshd, attackers can gain unauthorized access and execute malicious code, posing a significant security risk. CVE-2024-6387 affects the default configuration of sshd, making it crucial to address promptly.
In addition, on July 8, 2024, another OpenSSH vulnerability, similar to CVE-2024-6387, was disclosed and identified as CVE-2024-6409. The vulnerability CVE-2024-6409 arises when an SSH client fails to authenticate within the LoginGraceTime
(default: 120 seconds), triggering sshd's SIGALRM
handler and invoking non async-signal-safe functions.
Both of these vulnerabilities affect the default configuration of sshd, making them crucial to address promptly. This blog covers the details surrounding CVE-2024-6387 and CVE-2024-6409.
Recommendations
- Upgrade versions: Zscaler ThreatLabz strongly advises users of OpenSSH to promptly upgrade to version 9.8, as this version contains crucial fixes to mitigate CVE-2024-6387.
- Set LoginGraceTime to 0: CVE-2024-6387 specifically targets the default configuration of sshd. If updating sshd is not feasible, a potential workaround is to modify the config file by setting the
LoginGraceTime
value to0
. While this adjustment may expose the sshd server to a denial of service risk, it helps mitigate the risk of remote code execution. - Reduce the attack surface: Restrict access by using network-based controls to minimize the attack risks.
Background
OpenSSH is a popular tool for remote access using the SSH protocol, offering secure tunneling, authentication methods, and flexible configuration options. OpenSSH is widely used for managing remote servers, file transfers, and secure communication.
CVE-2024-6387 is a vulnerability that reemerged due to a regression from CVE-2006-5051. Unfortunately, a patch originally applied for CVE-2006-5051 was inadvertently removed during a code change made in October 2020. This regression led to the reintroduction of the vulnerability.
Attack Chain
The figure below depicts the attack sequence an attacker would use to exploit CVE-2024-6387.
Figure 1: A diagram showing how attackers exploit sshd's signal handler race condition by crafting malloc()
and free()
sequences, manipulating heap memory layout, and executing remote code with a malicious request containing arbitrary bytes and shellcode.
How It Works
Unix systems utilize SIGALRM
as an interrupt during program execution, which is handled by the SIGALRM
handler code. However, if non async-signal-safe functions are used within this handler, it can lead to an inconsistent state that attackers can exploit.
CVE-2024-6387 arises from sshd's use of syslog
, which invokes non async-signal-safe functions like malloc()
and free()
. If an SSH client fails to authenticate within the configured LoginGraceTime
, sshd's SIGALRM
handler is asynchronously triggered, invoking syslog()
. As a result, remote exploitation of this vulnerability is possible by an unauthenticated user on glibc-based Linux systems. To exploit this signal handler race condition, attackers abuse sshd's public-key parsing code to perform crafted sequences of malloc()
and free()
calls. By strategically timing the delivery of a SIGALRM
interrupt, the attacker can achieve remote code execution with root privileges. This race condition affects sshd's default configuration.
Winning the race condition requires an average of 10,000 attempts. With 100 connections (MaxStartups
) accepted per 120 seconds (LoginGraceTime
), it takes approximately 3-4 hours on average to win the race condition and approximately 6-8 hours to obtain a root shell due to Address Space Layout Randomization (ASLR).
The figure below shows the network traffic generated during the exploitation of CVE-2024-6387.
Figure 2: An example of a malformed request containing arbitrary bytes to force the SSH server to perform heap allocations targeting CVE-2024-6387.
Affected Versions
The following versions of OpenSSH are affected by CVE-2024-6387 and should be updated immediately:
- Older versions of OpenSSH (prior to 4.4p1) are at risk from the signal handler race condition, unless they have been patched for CVE-2006-5051 and CVE-2008-4109.
- OpenSSH versions ranging from 8.5p1 to less than 9.8p1 remain vulnerable to the signal handler race condition.
CVE-2024-6409
On July 8, 2024, another OpenSSH vulnerability, similar to CVE-2024-6387 was disclosed. This additional vulnerability, identified as CVE-2024-6409, arises when the grace_alarm_handler()
function triggers the non-signal-handling cleanup_exit()
method in the privsep
child process, leading to inconsistent memory state and potential code execution. Immediate exploitation is currently less likely (although that may change) since no working exploit code has been disclosed at the time of publishing this blog. The following versions are impacted by this vulnerability:
- OpenSSH versions 8.5p1 to 9.8p1 on glibc-based Linux systems.
*At this time, information about this vulnerability is limited. We will update this blog as more information becomes available.
Conclusion
The vulnerabilities CVE-2024-6387 and CVE-2024-6409 in OpenSSH servers (sshd) on glibc-based Linux systems pose a significant risk, allowing potential attackers to execute remote code with root privileges. Exploiting this vulnerability can lead to complete system takeover, installation of persistent backdoors, data exfiltration, and deployment of malware. Although it may be challenging to exploit the race condition, successful exploitation can have severe consequences.
Zscaler Coverage
The Zscaler ThreatLabz team has deployed the following coverage to protect against these threats.
Zscaler Advanced Threat Protection
Zscaler Advanced Cloud Firewall
Was this post useful?
Get the latest Zscaler blog updates in your inbox
By submitting the form, you are agreeing to our privacy policy.