Critical RCE Vulnerabilities in OpenSSH (CVE-2024-6387, CVE-2024-6409) - How to Detect and Mitigate

Update on another CVE-2024-6409:

• CVE-2024-6387: Impacted the main OpenSSH server process
  • potentially allowing unauthenticated remote code execution with root privileges.
• CVE-2024-6409: Affects the privilege separation child process with limited privileges, which affects OpenSSH in versions 8.7 and 8.8.
  • A race condition in grace_alarm_handler() function creates a potential for remote code execution in privsep child process.
  • The new vulnerability has a reduced immediate impact but still poses a significant security risk.‍
• Patch Now: ‍
  • Set LoginGraceTime 0 in /etc/ssh/sshd_config‍
  • Run systemctl restart sshd
  • This patch is an effective mitigation for both vulnerabilities.

OpenSSH security came to the forefront two months ago with the dreaded xz-utils zero-day vulnerability discovered, targeting the OpenSSH binary to gain backdoor access to Linux-based operating systems.  OpenSSH is used as a first and only line of defense for millions of servers all over the internet, and therefore its security is a major focal point, and also a reason it has become a high-value target for would-be attackers.

Well, OpenSSH is back in the headlines, today with a zero-day vulnerability that is shaping up to be a doozy of a vulnerability enabling Remote Code Execution in OpenSSH servers. This vulnerability was dubbed RegreSSHion by Qualys, who were the ones to find these flaws detailed in their research.  As this story unfolds, we’d like to provide a quick TL;DR of the impact of the vulnerability, how it’s exploited, and how you can get protected if you are employing this wildly popular open source protocol (who isn’t?!).

Table Of Contents:

1. RegreSSHion Vulnerability Summary in Short
2. Who is Impacted
3. Details of the Vulnerability
4. TL;DR of Exploitation Method
5. Remediations
6. Patch Details
7. Additional Information
8. SSHielded with Oligo
9. Conclusion
10. References

RegreSSHion Vulnerability Summary in Short:

RegreSSHion is a signal handler race condition in OpenSSH's server (sshd). OpenSSH is a widely-used suite of secure networking utilities based on the Secure Shell (SSH) protocol, providing encrypted communication over unsecured networks. In the context of this vulnerability, if a client fails to authenticate within a specified period (LoginGraceTime), which defaults to 120 seconds, the server's signal handler is triggered to handle the timeout.

This signal handler (SIGALRM) is designed to close the connection, but it mistakenly calls functions like syslog(), which are not safe to execute in this asynchronous context. These functions can invoke other non-async-signal-safe functions like malloc() and free(), leading to inconsistent states and potential heap corruption. Consequently, an attacker can exploit this vulnerability to execute arbitrary code on the server, resulting in remote code execution with root privileges. This type of vulnerability is critical because it allows unauthenticated remote attackers to gain full control over the affected system.

The current vulnerability is a regression of this earlier issue, CVE-2006-5051, which involved a signal handler race condition in OpenSSH before version 4.4. This vulnerability allows remote attackers to cause a denial of service or execute arbitrary code. The fix for this issue involved making certain functions safe to call from signal handlers, a fix that was inadvertently reverted in a later update.

Who is Impacted:

• CVE-20240-6387
  • Systems running OpenSSH versions from 8.5p1 to 9.8p1 on glibc-based Linux systems are vulnerable. Earlier versions (before 4.4p1) and versions between 4.4p1 and 8.5p1 are not vulnerable if they were patched against a similar issue from 2006. OpenBSD systems are not affected.
• CVE-20240-6409
  • OpenSSH in versions 8.7 and 8.8

Details of the Vulnerability CVE-20240-6387:

• The problem lies in the handling of the SIGALRM signal, which is triggered if the login grace period expires without successful client authentication.
• The vulnerability is a regression of a similar issue reported in 2006 (CVE-2006-5051).
• The issue was reintroduced in OpenSSH 8.5p1 due to a change in the logging infrastructure.

‍TL;DR of Exploitation Method

An attacker can exploit this vulnerability by repeatedly attempting to connect to the OpenSSH server without authenticating. Each attempt aims to trigger the SIGALRM signal handler at a precise moment when it is performing unsafe operations. The key to successful exploitation is the ability to manipulate the server’s heap memory layout through crafted inputs, such as malformed SSH keys, which are designed to place the memory in a state where it becomes vulnerable to corruption.

By sending packets with exact timing, the attacker attempts to interrupt the server's signal handler during critical memory operations like malloc() and free(). This interruption can lead to heap corruption, allowing the attacker to overwrite function pointers or other vital data structures. Despite modern security measures like ASLR and NX, the attacker’s use of advanced techniques and repeated attempts increases the likelihood of achieving arbitrary code execution, ultimately granting them root access to the affected server.

Remediations:

1. Upgrade OpenSSH:
   • Apply the fix available in the latest OpenSSH release.
2. Workaround:
   • To patch both vulnerabilities (CVE-2024-6387, CVE-2024-6409) have a quick patch.
   • Set LoginGraceTime 0 in /etc/ssh/sshd_config and do a systemctl restart sshd.
   • If upgrading is not possible, a temporary workaround is to set LoginGraceTime to 0 in the OpenSSH configuration file. This will prevent unauthenticated sessions from being kept open but can lead to a denial of service if all connection slots are used.

Patch Details:

• The fix involves moving the problematic code out of the signal handler, ensuring that only safe operations are performed in this context.

Additional Information:

• The vulnerability affects sshd's privileged code, which runs as the root user with full system privileges, making this a critical issue for affected systems.
• The specific nature of the race condition and its exploitation require a significant number of attempts to achieve successful execution, with varying success rates depending on the version and environment.

‍‍SSHielded with Oligo:

As part of the Oligo platform, Oligo ADR, can automatically detect when applications behave improperly. Actual exploitation could be identified by Oligo even before those vulnerabilities are identified or assigned a CVE.

In this specific case, Oligo ADR will not only detect the change in behavior, it will also detect anomalies in the number of times the vulnerable function is being called, due to the nature of exploitation of this bug, which is a race condition bug. Therefore, it is an essential part of the exploitation. Moreover, Oligo Focus can determine exactly which libraries and functions are executed, with proof your teams can see. This means your team can easily find and detect vulnerable versions of libraries and applications and help you automatically start mitigating them.

Conclusion:

While SSH is generally regarded as secure software, its complexity and the critical nature of its functionality make it a frequent target for security research. Each discovered vulnerability, including the current one, highlights areas where improvements in secure coding practices and rigorous code review are necessary to maintain its security. The recurring theme in many of these vulnerabilities is the challenge of ensuring that code handling critical security functions, such as authentication and signal handling, is robust against various attack vectors.

Administrators should prioritize applying the patches or using the workaround to mitigate this high-risk vulnerability in OpenSSH servers running on glibc-based Linux systems.

References:

1. https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
2. https://www.openwall.com/lists/oss-security/2024/07/08/2
3. https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2024-6409‍
4. https://thehackernews.com/2024/07/new-openssh-vulnerability-could-lead-to.html
5. https://github.com/acrono/cve-2024-6387-poc
6. https://cvefeed.io/vuln/detail/CVE-2024-4264
7. https://security-tracker.debian.org/tracker/CVE-2024-6409
8. https://bugzilla.redhat.com/show_bug.cgi?id=2295085
9. https://access.redhat.com/security/cve/CVE-2024-6409
10. https://ubuntu.com/security/CVE-2024-6409
11. https://explore.alas.aws.amazon.com/CVE-2024-6409.html

‍