OpenSSH maintainers have released security updates to contain a critical security flaw that could result in unauthenticated remote code execution with root privileges in glibc-based Linux systems. Please review the information in this Cybersecurity Threat Advisory to limit your potential impact.
What is the threat?
The critical vulnerability, CVE-2024-6387, was found in OpenSSH’s sshd server due to a signal handler race condition. If a client fails to authenticate within the designated LoginGraceTime, sshd’s SIGALRM handler is invoked asynchronously, leading to calls to functions like syslog() that are not async-signal-safe. Attackers could exploit this vulnerability to perform unauthenticated remote code execution (RCE) with root privileges, leading to full system compromise. Successful exploitation allows threat actors to execute arbitrary code, subvert security mechanisms, steal data, and maintain persistent access.
Why is it noteworthy?
OpenSSH is widely used for secure remote administration of servers. Exploiting this vulnerability can cause a severe flaw that may lead to extensive service disruptions, particularly in environments heavily relying on OpenSSH for secure access and operations. Attackers can trigger the race condition under specific timing conditions or heavy server load, making it a powerful tool for destabilizing and compromising services.
What is the exposure or risk?
Organizations using OpenSSH for secure access in Linux environments are at significant risk. The race condition can result in server crashes, substantial performance degradation, or full system compromise, leading to potential data breaches, system unavailability, and disruption of critical business operations. The vulnerability affects OpenSSH versions 8.5p1 to 9.7p1 and is a regression of an older flaw, CVE-2006-5051. Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with address space layout randomization (ASLR). OpenBSD systems remain unaffected due to a security mechanism that blocks the flaw.
The risk extends to potential financial and reputational damage due to disrupted workflows and compromised systems.
What are the recommendations?
Barracuda MSP recommends the following actions to limit the impact of an attack:
- Update OpenSSH: Ensure that you are running the latest version of OpenSSH. They are currently releasing patches that address this vulnerability.
- Monitor and configure LoginGraceTime: Adjust the LoginGraceTime to a suitable value for your environment. This is to reduce the window of opportunity for exploitation.
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2024/07/new-openssh-vulnerability-could-lead-to.html
- https://nvd.nist.gov/vuln/detail/CVE-2024-6387
- https://www.theregister.com/2024/07/01/regresshion_openssh/
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.
