OpenSSH RCE Schwachstelle CVE-2024-6387

OpenSSH RCE Vulnerability

Overview

The OpenSSH RCE vulnerability, known as “regreSSHion” (CVE-2024-6387), poses a worrying threat to millions of systems worldwide. This vulnerability, discovered by the Qualys Threat Research Unit, is a race condition in the signal handler of the OpenSSH server (sshd) on glibc-based Linux systems. It enables unauthenticated remote code execution (RCE) with root privileges, making it a serious problem for millions of systems worldwide.

Excursion: glibc-based Linux systems

“glibc” stands for the GNU C Library, the fundamental library for most Linux distributions. It provides the basic functions and system calls required for Linux applications to operate. A glibc-based Linux system uses this library as a central component of its operating system. Well-known distributions based on glibc include Ubuntu, Fedora, Debian, and CentOS.

What is OpenSSH?

OpenSSH is a widely used suite of secure network services based on the SSH protocol. It provides robust encryption, secure file transfers, and remote server management. OpenSSH is an integral part of the security infrastructure of many organizations, making vulnerabilities in this system particularly concerning.

Details on the OpenSSH RCE Vulnerability CVE-2024-6387

The regreSSHion vulnerability results from a race condition in the signal handler of the sshd component of OpenSSH. If a client does not authenticate within the specified LoginGraceTime (default 120 seconds), the SIGALRM handler is called asynchronously. This handler calls various functions that are not safe for asynchronous signal contexts, potentially leading to remote code execution as root. Exploiting this vulnerability typically requires precise timing and multiple attempts, making it a complex but potentially very dangerous threat.

Excursion: Race Condition

A race condition occurs when the outcome of a process depends on the timing of certain events. In a computing context, this can cause two or more processes to interact in a way that leads to unexpected results, especially when they access shared resources simultaneously. A well-known example of a race condition in IT security is the TOCTOU (Time of Check to Time of Use) attack, where an attacker manipulates a security check between the verification and use of a resource object.

OpenSSH RCE Vulnerability CVE-2024-6387 – CVSS Base Score and Explanation

The CVE-2024-6387 vulnerability has a CVSS (this article explains CVSS – What is CVSS) Base Score of 8.1. This score is determined by several factors that assess the severity of the vulnerability:

1. Attack Vector (AV): Network (N) – The vulnerability can be exploited over the network, increasing its exploitability.
2. Attack Complexity (AC): High (H) – Exploiting the vulnerability requires precise timing and multiple attempts, increasing the complexity.
3. Privileges Required (PR): None (N) – The attacker does not need any special rights or permissions to exploit the vulnerability.
4. User Interaction (UI): None (N) – Exploitation does not require any interaction from a user.
5. Impact on Confidentiality (C): High (H) – A successful attack leads to a complete loss of confidentiality.
6. Impact on Integrity (I): High (H) – A successful attack leads to a complete loss of integrity.
7. Impact on Availability (A): High (H) – A successful attack leads to a complete loss of availability.

Explanation of the CVSS Base Score of the OpenSSH RCE Vulnerability CVE-2024-6387

The CVSS Base Score of 8.1 indicates that this vulnerability is classified as highly severe. Although exploiting the vulnerability is not trivial due to the high attack complexity (AC), the lack of required privileges (PR) and user interaction (UI) make it an attractive target for attackers. The impacts on confidentiality, integrity, and availability are also high, meaning that a successful attack can have serious consequences for the affected system.

Further information is available from the National Vulnerability Database (NVD).

Affected Versions

The vulnerability affects OpenSSH versions from 8.5p1 to 9.7p1, as well as versions older than 4.4p1 if they have not been patched for CVE-2006-5051 and CVE-2008-4109. OpenBSD systems are not affected due to a special security mechanism introduced in 2001.

Impacts and Exploitation

Successful exploitation of this vulnerability can lead to complete system compromise. Attackers can install malware, exfiltrate sensitive data, and create persistent backdoors. Researchers have identified over 14 million potentially vulnerable OpenSSH instances exposed to the internet, with 700,000 confirmed cases according to Qualys data.

OpenSSH RCE Vulnerability – Comparison with other vulnerabilities

While regreSSHion poses a serious threat, it is often compared to the Log4Shell vulnerability (CVE-2021-44228). Log4Shell was far more critical due to its broader reach and easier exploitation. It affected numerous applications and services using the Apache Log4j library, leading to immediate and widespread malicious activity. In contrast, regreSSHion targets specific OpenSSH server instances on glibc-based Linux systems and requires complex exploitation attempts.

Indicators of Compromise (IOCs) – Potential Signs of Exploitation

Clear and openly communicated IOCs have not yet been communicated. However, the following general indicators may indicate suspicious activity:

• Unusual SSH Login Attempts
  • An increase in failed SSH login attempts, especially from unknown IP addresses, may warrant investigation. You can identify exploit attempts for this vulnerability by checking the logs for numerous “Timeout before authentication” lines. Example log entry:
    • sshd[132456]: fatal: Timeout before authentication for 198.51.100.23 port 41022
• Unexpected Processes
  • The presence of unauthorized or unknown processes running on the system, especially with root privileges, is a warning sign.
• File Changes
  • Unexplained changes to system files, especially those related to SSH configuration or user accounts, could indicate manipulation.

Mitigation Measures

To mitigate the risk of the regreSSHion vulnerability, the following steps are recommended:

• Update OpenSSH – install the latest available update (version 9.8p1), which fixes the vulnerability.
• Restrict SSH access – use network-based security measures such as firewalls and network segmentation to prevent lateral movement. Defense in Depth!
• Change configuration – If immediate updates are not possible, set the LoginGraceTime parameter in the sshd configuration file to 0. Caution! This increases the risk of denial-of-service attacks.

OpenSSH RCE Vulnerability CVE-2024-6387 – Conclusion

The regreSSHion vulnerability poses a significant threat due to its potential exploitation and the large number of affected systems. Organizations should take immediate action to update their OpenSSH installations and implement additional security measures. Regular monitoring of SSH authentication logs for signs of exploitation attempts and maintaining a robust asset inventory are crucial for effective vulnerability management.