On July 1, 2024, researchers identified a critical security vulnerability in OpenSSH's server (sshd) running on glibc-based Linux systems. This vulnerability, assigned the CVE identifier CVE-2024-6387 (also known as regreSSHion), enables remote unauthenticated code execution (RCE) as the root user. By exploiting a signal handler race condition in sshd, attackers can gain unauthorized access and execute malicious code, posing a significant security risk. CVE-2024-6387 affects the default configuration of sshd, making it crucial to address promptly.

In addition, on July 8, 2024, another OpenSSH vulnerability, similar to CVE-2024-6387, was disclosed and identified as CVE-2024-6409. The vulnerability CVE-2024-6409 arises when an SSH client fails to authenticate within the LoginGraceTime (default: 120 seconds), triggering sshd's SIGALRM handler and invoking non async-signal-safe functions.

Both of these vulnerabilities affect the default configuration of sshd, making them crucial to address promptly. This blog covers the details surrounding CVE-2024-6387 and CVE-2024-6409.

Recommendations

Upgrade versions: Zscaler ThreatLabz strongly advises users of OpenSSH to promptly upgrade to version 9.8, as this version contains crucial fixes to mitigate CVE-2024-6387.
Set LoginGraceTime to 0: CVE-2024-6387 specifically targets the default configuration of sshd. If updating sshd is not feasible, a potential workaround is to modify the config file by setting the LoginGraceTime value to 0. While this adjustment may expose the sshd server to a denial of service risk, it helps mitigate the risk of remote code execution.
Reduce the attack surface: Restrict access by using network-based controls to minimize the attack risks.

Background

OpenSSH is a popular tool for remote access using the SSH protocol, offering secure tunneling, authentication methods, and flexible configuration options. OpenSSH is widely used for managing remote servers, file transfers, and secure communication.

CVE-2024-6387 is a vulnerability that reemerged due to a regression from CVE-2006-5051. Unfortunately, a patch originally applied for CVE-2006-5051 was inadvertently removed during a code change made in October 2020. This regression led to the reintroduction of the vulnerability.

Attack Chain

The figure below depicts the attack sequence an attacker would use to exploit CVE-2024-6387.

Figure 1: A diagram showing how attackers exploit sshd's signal handler race condition by crafting malloc() and free() sequences, manipulating heap memory layout, and executing remote code with a malicious request containing arbitrary bytes and shellcode.

Figure 1: A diagram showing how attackers exploit sshd's signal handler race condition by crafting malloc() and free() sequences, manipulating heap memory layout, and executing remote code with a malicious request containing arbitrary bytes and shellcode.

How It Works

Unix systems utilize SIGALRM as an interrupt during program execution, which is handled by the SIGALRM handler code. However, if non async-signal-safe functions are used within this handler, it can lead to an inconsistent state that attackers can exploit.

CVE-2024-6387 arises from sshd's use of syslog, which invokes non async-signal-safe functions like malloc() and free(). If an SSH client fails to authenticate within the configured LoginGraceTime, sshd's SIGALRM handler is asynchronously triggered, invoking syslog(). As a result, remote exploitation of this vulnerability is possible by an unauthenticated user on glibc-based Linux systems. To exploit this signal handler race condition, attackers abuse sshd's public-key parsing code to perform crafted sequences of malloc() and free() calls. By strategically timing the delivery of a SIGALRM interrupt, the attacker can achieve remote code execution with root privileges. This race condition affects sshd's default configuration.

Winning the race condition requires an average of 10,000 attempts. With 100 connections (MaxStartups) accepted per 120 seconds (LoginGraceTime), it takes approximately 3-4 hours on average to win the race condition and approximately 6-8 hours to obtain a root shell due to Address Space Layout Randomization (ASLR).

The figure below shows the network traffic generated during the exploitation of CVE-2024-6387.

Figure 2: An example of a malformed request containing arbitrary bytes to force the SSH server to perform heap allocations targeting CVE-2024-6387.

Affected Versions

The following versions of OpenSSH are affected by CVE-2024-6387 and should be updated immediately:

Older versions of OpenSSH (prior to 4.4p1) are at risk from the signal handler race condition, unless they have been patched for CVE-2006-5051 and CVE-2008-4109.
OpenSSH versions ranging from 8.5p1 to less than 9.8p1 remain vulnerable to the signal handler race condition.

CVE-2024-6409

On July 8, 2024, another OpenSSH vulnerability, similar to CVE-2024-6387 was disclosed. This additional vulnerability, identified as CVE-2024-6409, arises when the grace_alarm_handler() function triggers the non-signal-handling cleanup_exit() method in the privsep child process, leading to inconsistent memory state and potential code execution. Immediate exploitation is currently less likely (although that may change) since no working exploit code has been disclosed at the time of publishing this blog. The following versions are impacted by this vulnerability:

OpenSSH versions 8.5p1 to 9.8p1 on glibc-based Linux systems.

*At this time, information about this vulnerability is limited. We will update this blog as more information becomes available.

Conclusion

The vulnerabilities CVE-2024-6387 and CVE-2024-6409 in OpenSSH servers (sshd) on glibc-based Linux systems pose a significant risk, allowing potential attackers to execute remote code with root privileges. Exploiting this vulnerability can lead to complete system takeover, installation of persistent backdoors, data exfiltration, and deployment of malware. Although it may be challenging to exploit the race condition, successful exploitation can have severe consequences.