Skip to content

s1d6point7bugcrowd/CVE-2024-6387-Race-Condition-in-Signal-Handling-for-OpenSSH

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
detection-script.py
detection-script.py
 
 

Repository files navigation

CVE-2024-6387: Race Condition in Signal Handling for OpenSSH

Overview

CVE-2024-6387 is a critical vulnerability discovered in OpenSSH's server (sshd) that allows an attacker to potentially achieve unauthenticated remote code execution (RCE) as root. The vulnerability arises from a race condition in the signal handling process within sshd.

Discovery and Research

This vulnerability was discovered by Qualys, who noted that successful exploitation has been demonstrated on 32-bit Linux/glibc systems with address space layout randomization (ASLR) enabled. Under controlled conditions, the attack required an average of 6-8 hours of continuous connections, up to the maximum allowed by the server. Exploitation on 64-bit systems is believed to be possible but has not yet been demonstrated. There is a possibility that future attack improvements will make it more feasible on these systems.

Microsoft Windows Concerns

It is important to note that while Windows typically runs SSH, most desktop versions should not be exposed to the internet in a way that makes them vulnerable. However, server versions accepting incoming requests could be at risk. Microsoft manages SSH updates through regular Windows updates, which currently lag behind the latest OpenSSH versions. For example, Windows systems with all applied updates may be running version OpenSSH_for_Windows_8.1p1.

Vulnerability Details

  • CVE ID: CVE-2024-6387
  • CVSS v3.1 Score: 8.1 (High)
  • Impact: Possible Remote Code Execution Due to a Race Condition in Signal Handling

Affected Platforms

  1. Vulnerable Versions:

    • OpenSSH versions earlier than 4.4p1 are vulnerable to this race condition unless patched for CVE-2006-5051 and CVE-2008-4109.
    • OpenSSH versions 8.5p1 up to, but not including, 9.8p1 are vulnerable due to the accidental removal of a critical component in a function.

  2. Not Vulnerable:

    • OpenSSH versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable due to a transformative patch for CVE-2006-5051.
    • OpenBSD is not vulnerable to this issue.

Mitigations

To protect against CVE-2024-6387, organizations should implement the following mitigations:

  1. Patch Management:

    • Ensure all Linux systems running OpenSSH, especially those using glibc, are updated to a version that is not vulnerable to this race condition.

  2. Enhanced Access Control:

    • Limit SSH access through network-based controls to reduce the attack surface and minimize the risk of unauthorized exploitation attempts.

  3. Network Segmentation and Intrusion Detection:

    • Implement network segmentation to restrict unauthorized access and lateral movements within critical environments. Deploy intrusion detection systems (IDS) to monitor and alert on unusual activities indicative of exploitation attempts.

Additional Resources

For organizations using OpenSSH on Windows, SSH management can be configured using Group Policy Objects (GPOs) as detailed in the Microsoft documentation.

Critical Insight
July 1, 2024

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages