The Research Security Company (Qualys Threat Research Unit) discovered an SSHD vulnerability (NVD – CVE-2024-6387) that can lead the whole system to be compromised. The flaw derives from a race condition (Race Hazard), which leads the SSHD to handle signals unsafely when calling the component of glibc a.k.a SIGALRM. The latter is asynchronous alarm-signaling (a standard GNU C library) that has a time interval that complements a thread-safe application. The flaw in SSHD can happen during back & forth (traverse) authentication negotiation (but halting the session) in an asynchronous manner and calls the SIGALRM within a certain time frame created by an attacker (client).
Furthermore, since the OpenSSH (SSHD) handles the signaling asynchronously, and if it has a lot of session calls (queues) that are not fully authenticated, and with the right timing, leads to race conditions as the breaking point. If this happens, this will allow an attacker to perform a buffer overflow in the program memory allocation. As for consequences, the attacker can advance for further escalation to execute a Remote Code Execution (RCE) as root through glibc-based Linux systems to take over the whole network or system. It determines that the successful exploit through the glibc is due to syslog() calling async-signal-unsafe functions like malloc() and free() which is essential in programming and software development that is critically responsible for Memory Management, Localization, and as well as Thread Safety.
To elaborate, the async-signal-unsafe called by the syslog() has full access privilege to the system (it is not sandboxed). As a metaphor, in software development before deployment, it is good practice to create a classification of what portion of the application needs admin/root permission and what is not. The developer can create an elevator executable file to be called as necessary by the application (invoker) to perform certain tasks that require higher privilege, which creates a separation of concern. A security-focused operating system OpenBSD for example, is not affected by the SIGALRM handler vulnerability as it uses the syslog_r() which is an async-signal-safe version of syslog().
Qualys research company named this “regreSSHion” because of the fact that it was identified as previously patched from CVE-2006-505 in 2006 but reinstated due to code updates in October 2020 (OpenSSH 8.5p1). To expound, when there is a code change due to new features, functions, or bug fixes, the developers perform a crucial regression analysis & testing (re-running functional and non-functional) to make sure all the software functionalities are properly working, and if not, that is called regression.
Who are Affected?
The following table shows the affected version of SSHD/OpenSSH based on the Qualys Threat Research Team, this means that anyone who uses this version is vulnerable:
| Versions before than 4.4p1 | Unless patched for CVE-2006-5051 and CVE-2008-4109. |
| Versions from 4.4p1 up to | Except 8.5p1 due to a transformative patch for CVE-2006-5051 (to secure the unsafe function) |
| Vulnerability reappeared from 8.5p1 up to | Except 9.8p1 because of the accidental removal of the critical function. |
Severity
Only Linux systems are vulnerable to the regreSSHion (CVE-2024-6387) and with a high 8.1/10 severity score. Though, the radius or aggregated counts, grouped by the most affected countries from version 8.5p1-9.7p1 are the following:
Note. This image is borrowed from the paloaltonetworks.com website (CVE-2024-6387 OpenSSH RegreSSHion Vulnerability).
Current Scope of Attack
Palo Alto states that while there is a PoC attack (created by several contributors posted on GitHub) for the vulnerability, the only successful exploitation is shown on 32-bit Linux/glibc systems with address space layout randomization (ASLR). It also stated that This exploitation typically requires 6-8 hours of continuous connections under lab conditions up to the server’s maximum capacity (Palo Alto, 2024). Currently, the PoC for the said CVE 2024-6387 is not sufficient to become successful in achieving the state for remote code execution (RCE), and there is no known activity in the wild as of July 2, 2024 – Palo Alto says.
Prevention
As gathered from different sources, it is good to always be on top for the sake of security posture. Qualys Vulnerability Management, Detection, and Response (VMDR) and Palo Alto Networks Product Protections (such as Cortex XDR and XSIAM) can help any organization to achieve that. In addition, there are also open-source security products (cost-free) that you can start implementing like PfSense and OPNsense. Both the former and the latter are very user-friendly and encompass different security controls such as Firewalls, DMZs, Multiwan Failover support, Virtual Private Networking, Hardware Failover, Intrusion Detection & Prevention, Two-Factor Authentication, Web/Filtering Filtering, and etc.
Conclusion
The RegreSSHion (CVE-2024-6387) is a vulnerability in the OpenSSH Server (SSHD) signal handler due to race conditions on glibc-based Linux systems. While this vulnerability has a CVSS 8.1 score there is no known activity since July 2, 2024, based on the Palo Alto unique IP Address scan results. However, it is very important to be reminded to not underestimate this vulnerability as this can lead to disaster situations if an attacker successfully intrudes on the system. Note that the Porta SFTP Server is not affected by this since it is not an OpenSSH Server BUT rather a Java network that runs through a Java Virtual Machine (JVM) that has enhanced security before code execution which is considered an additional layer of security.
References
Qualys.com (2024). regreSSHion: Remote Unauthenticated Code Execution Vulnerability in OpenSSH server. Retrieved from https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server
Paloaltonetworks.com (2024). Threat Brief: CVE-2024-6387 OpenSSH RegreSSHion Vulnerability. Retrieved from https://unit42.paloaltonetworks.com/threat-brief-cve-2024-6387-openssh/
Logo attribution: Pixabay.com
