Choose variations of the OpenSSH safe networking suite are prone to a brand new vulnerability that may set off distant code execution (RCE).
The vulnerability, tracked as CVE-2024-6409 (CVSS rating: 7.0), is distinct from CVE-2024-6387 (aka RegreSSHion) and pertains to a case of code execution within the privsep youngster course of as a consequence of a race situation in sign dealing with. It solely impacts variations 8.7p1 and eight.8p1 shipped with Crimson Hat Enterprise Linux 9.
Safety researcher Alexander Peslyak, who goes by the alias Photo voltaic Designer, has been credited with discovering and reporting the bug, which was discovered throughout a overview of CVE-2024-6387 after the latter was disclosed by Qualys earlier this month.
“The primary distinction from CVE-2024-6387 is that the race situation and RCE potential are triggered within the privsep youngster course of, which runs with diminished privileges in comparison with the mum or dad server course of,” Peslyak stated.
“So the instant affect is decrease. Nevertheless, there could also be variations in exploitability of those vulnerabilities in a specific state of affairs, which might make both of these a extra enticing alternative for an attacker, and if solely one among these is mounted or mitigated then the opposite turns into extra related.”
Nevertheless, it is value noting that the sign handler race situation vulnerability is similar as CVE-2024-6387, whereby if a shopper doesn’t authenticate inside LoginGraceTime seconds (120 by default), then the OpenSSH daemon course of’ SIGALRM handler known as asynchronously, which then invokes varied capabilities that aren’t async-signal-safe.
“This challenge leaves it weak to a sign handler race situation on the cleanup_exit() perform, which introduces the identical vulnerability as CVE-2024-6387 within the unprivileged youngster of the SSHD server,” in accordance with the vulnerability description.
“As a consequence of a profitable assault, within the worst case state of affairs, the attacker might be able to carry out a distant code execution (RCE) inside unprivileged consumer operating the sshd server.”
An lively exploit for CVE-2024-6387 has since been detected within the wild, with an unknown risk actor focusing on servers primarily positioned in China.
“The preliminary vector of this assault originates from the IP handle 108.174.58[.]28, which was reported to host a listing itemizing exploit instruments and scripts for automating the exploitation of weak SSH servers,” Israeli cybersecurity firm Veriti stated.
