OpenSSH maintainers addressed a critical vulnerability, tracked as CVE-2024-6387, that can lead to unauthenticated remote code execution with root privileges in glibc-based Linux systems. <\/p>\n\n\n\n
OpenSSH maintained have addressed the vulnerability with the release of version 9.8 on July 01, 2024.<\/p>\n\n\n\n
“A critical vulnerability in sshd(8) was present in Portable OpenSSH versions between 8.5p1 and 9.7p1 (inclusive) that may allow arbitrary code execution with root privileges. Successful exploitation has been demonstrated on 32-bit Linux\/glibc systems with ASLR. Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept. Exploitation on 64-bit systems is believed to be possible but has not been demonstrated at this time. It’s likely that these attacks will be improved upon.” reads the advisory<\/a>. “Exploitation on non-glibc systems is conceivable but has not been examined. Systems that lack ASLR or users of downstream Linux distributions that have modified OpenSSH to disable per-connection ASLR re-randomisation (yes – this is a thing, no – we don’t understand why) may potentially have an easier path to exploitation.”<\/em>
The\u00a0Qualys Threat Research Unit (TRU)<\/a>\u00a0has discovered the Remote\u00a0Unauthenticated\u00a0<\/strong>Code Execution (RCE) vulnerability in OpenSSH\u2019s server (sshd) in glibc-based Linux systems.<\/p>\n\n\n\n
“The vulnerability, which is a signal handler race condition in OpenSSH\u2019s server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems; that presents a significant security risk. This race condition affects sshd in its default configuration.” reported<\/a> Qualys.<\/em><\/p>\n\n\n\n
The flaw was introduced with the fix for another vulnerability, tracked as CVE-2006-5051<\/a>. This is a case of regression of a previously patched flaw, which means that a previously fixed bug has resurfaced in a later software release, often due to updates that unintentionally reintroduce the issue. The regression was introduced in October 2020 with the release of OpenSSH 8.5p1.
Maintainers pointed out that OpenBSD systems are not impacted by this vulnerability.
University of Cambridge Computer Lab.
“In OpenSSH version 9.5 through 9.7 (inclusive), when connected to an OpenSSH server version 9.5 or later, a logic error in the
ineffective – a passive observer could still detect which network packets contained real keystrokes when the countermeasure was active because both fake and real keystroke packets were being sent unconditionally.” states the advisory<\/em>.
Pierluigi Paganini<\/strong><\/a><\/p>\n\n\n\n
Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/a><\/p>\n\n\n\n
(<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0hacking, OpenSSH server)<\/strong>