THREAT LEVEL - HIGH
02-07-2024
New RCE Vulnerability on OpenSSH
Threat Level Description
Threat Level: High – An attack is highly likely. Addressing the broad nature of the threat in order to reach an acceptable risk level, requires additional and sustainable protective security measures combined with specific business and geographical vulnerabilities and judgments.
Description
We have observed that a new vulnerability in OpenSSH software, has been identified.
An unauthenticated remote attacker, by exploiting this vulnerability, could achieve remote code execution with root privileges on glibc-based Linux systems.
The vulnerability, tracked as CVE-2024-6387, is a signal handler race condition residing in OpenSSH’s server (sshd).
The net effect of exploiting CVE-2024-6387 is a full system compromise, enabling attackers to execute arbitrary code with the highest privileges, subvert security mechanisms, data theft, and even maintain persistent access.
This vulnerability is a regression of an 18-year-old flaw (CVE-2006-5051) that was reintroduced in October 2020 as part of OpenSSH version 8.5p1. It involves sshd’s SIGALRM handler, which is called asynchronously if a client does not authenticate within 120 seconds, resulting in a race condition.
CVE(s)
CVE-2024-6387
Affected Systems
- OpenSSH versions 8.5p1 to 9.7p1 on glibc-based Linux systems.
- OpenSSH versions prior to 4.4p1 that are not patched for CVE-2006-5051 and CVE-2008-4109.
Recommendation(s)
You should proceed and install the relevant patches provided by the vendor.
You should consider limiting the SSH access through network-based controls to reduce the attack surface. Furthermore, it is recommended to enforce network segmentation to restrict unauthorized access and lateral movement within your network.
You should understand the importance of security updates, and the urgency with which they should be applied, no matter how large or small your organization is. It is very important to apply an efficient patch management solution and always have enabled an active event security logging and practice event monitoring. To protect the valuable assets of your business and be compliant with the relevant industry regulations requires a comprehensive approach to the management of risk, including Penetration Testing at least annually and upon significant changes.
References:
