Certain versions of the OpenSSH Secure Networking suite are affected by a new vulnerability that could lead to remote code execution (RCE).
This vulnerability is tracked as CVE-2024-6409 (CVSS score: 7.0) and is distinct from CVE-2024-6387 (aka RegreSSHion). Granting privileges to child processes This is caused by a race condition in signal handling and only affects versions 8.7p1 and 8.8p1 shipped with Red Hat Enterprise Linux 9.
Security researcher Alexander Peslyak, aka Solar Designer, is said to have discovered and reported the bug, which was discovered during a review of the vulnerability after Qualys disclosed CVE-2024-6387 earlier this month.
“The main difference with CVE-2024-6387 is that the race condition and possible RCE is triggered in the privsep child process, which runs with lower privileges compared to the parent server process,” Peslyak said. Said.
“As such, the direct impact is smaller. However, there may be differences in the exploitability of these vulnerabilities in certain scenarios, making one or the other a more attractive option for attackers. Also, fixing or mitigating only one increases the relevance of the other.”
However, note that the signal handler race condition vulnerability is the same as CVE-2024-6387, in that if a client does not authenticate within LoginGraceTime seconds (120 seconds by default), the SIGALRM handler in the OpenSSH daemon process will be called asynchronously, which will call various functions that are not async-signal-safe.
“This issue makes the cleanup_exit() function vulnerable to a signal handler race condition, introducing the same vulnerability as CVE-2024-6387 into unprivileged children of the SSHD server,” it said. Vulnerability description.
![Cybersecurity](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgF-Ztrtc0QOz90x07JmRFIH2xX1f9xk8ILPu5Y_lehiVS_gvyvG2yhkXRYUHld6Ztln3zokjOpFLBkesTWTG-W63G_ZJKYIyBFe8d-6Wa_QwqOIlrFxTRdIg5CkedLQQTGAJ8aayk0hyphenhyphenT3K6Vix554HdaRABxodRKpsJ9DfWQZHssKMHd6Fl7096KmQ0UR/s728-e365/desktop.gif)
“If the attack is successful, in a worst-case scenario, the attacker could potentially achieve remote code execution (RCE) within the unprivileged user running the sshd server.”
A valid exploit for CVE-2024-6387 is was detected It is happening in the wild, with unknown threat actors targeting servers primarily located in China.
“The initial vector of this attack originates from an IP address. 108.174.58[.]28Israeli cybersecurity firm Veriti reported that the directory hosts a list of exploit tools and scripts intended to automate the exploitation of vulnerable SSH servers. Said.