OpenSSH maintainers have released security updates to address a critical security flaw that could lead to unauthenticated remote code execution (RCE) with root privileges on glibc-based Linux systems. The vulnerability, identified as CVE-2024-6387, resides in the OpenSSH server component (sshd), which is designed to listen for connections from any of the client applications.
Technical Details The vulnerability is a signal handler race condition in OpenSSH’s server (sshd), allowing unauthenticated RCE as root on glibc-based Linux systems. This race condition affects sshd in its default configuration and has been identified in no less than 14 million potentially vulnerable OpenSSH server instances exposed to the internet. The flaw is a regression of an already patched 18-year-old vulnerability tracked as CVE-2006-5051, reinstated in October 2020 with OpenSSH version 8.5p1.
Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with address space layout randomization (ASLR). Under lab conditions, the attack requires an average of 6-8 hours of continuous connections up to the maximum the server will accept. The vulnerability impacts OpenSSH versions between 8.5p1 and 9.7p1, while versions prior to 4.4p1 are also vulnerable unless patched for CVE-2006-5051 and CVE-2008-4109. OpenBSD systems are unaffected due to a security mechanism that blocks the flaw.
Specifically, the vulnerability occurs if a client does not authenticate within 120 seconds (a setting defined by LoginGraceTime), causing sshd’s SIGALRM handler to be called asynchronously in a manner that is not async-signal-safe.
Impact Exploiting CVE-2024-6387 results in full system compromise and takeover, enabling threat actors to execute arbitrary code with the highest privileges, subvert security mechanisms, steal data, and maintain persistent access. The reappearance of a previously fixed flaw highlights the crucial role of thorough regression testing to prevent the reintroduction of known vulnerabilities.
Mitigation To secure against potential threats, users are recommended to apply the latest patches. Additionally, it is advised to limit SSH access through network-based controls and enforce network segmentation to restrict unauthorized access and lateral movement.