CVE-2024-6387 | OpenSSH | RCE
| Vulnerability | CVE-2024-6387 |
|---|---|
| Type | Remote Unauthenticated Code Execution Vulnerability |
| Description | Remote Unauthenticated Code Execution Vulnerability in OpenSSH server. Root Cause This vulnerability arises due to a signal handler race condition in sshd that allows unauthenticated remote attackers to execute arbitrary code as root. If a client does not authenticate within LoginGraceTime seconds (120 by default), then sshd’s SIGALRM handler is called asynchronously and calls various functions that are not async-signal-safe. “A remote unauthenticated attacker can take advantage of this flaw to execute arbitrary code with root privileges.” |
| The Impact of the Bug | The bug detailed in CVE-2024-6387 involves a remote code execution vulnerability in OpenSSH’s server on glibc-based Linux systems. The primary impact of this bug is that it allows an unauthenticated remote attacker to execute arbitrary code as the root user. This happens because the signal handler in OpenSSH’s server, which gets triggered if a client doesn’t authenticate within a certain time frame, calls non-async-signal-safe functions such as syslog(). This creates a race condition, potentially leaving the system in an inconsistent state and open to exploitation. This issue is a regression of an older vulnerability (CVE-2006-5051) that was initially fixed but reintroduced in a later version of OpenSSH (8.5p1) due to a removal of crucial safe logging mechanisms. In practical terms, exploiting this vulnerability requires sending numerous authentication requests to the server to trigger the race condition at the correct moment, which can be complex and time-consuming but potentially devastating due to the elevated privileges it grants to the attacker. |
| How to detect if you have a vulnerable application to this attack vector? | To detect if your application is vulnerable to CVE-2024-6387, you can follow these steps: 1. Check OpenSSH Version: - Determine the version of OpenSSH you are using. This vulnerability affects versions 8.5p1 to 9.8p1. You can check your OpenSSH version with the following command: ssh -V2. Review Configuration: - Examine your OpenSSH server configuration, specifically the LoginGraceTime setting, which defaults to 120 seconds. This setting is relevant because the vulnerability is triggered if a client does not authenticate within the LoginGraceTime period.3. Examine System Logs: - Exploitation attempts will generate a lot of logs in auditd & auth.log/secure. The following are samples of exploit attempts (tested on Rocky v9.4):- Look for auditd logs with the type USER_LOGIN & AUID unset: type=USER_LOGIN msg=audit(1722167859.244): pid=4518 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="" (unknown)' exe="/usr/sbin/sshd" hostname=? addr=192.168.50.212 terminal=ssh res=failed' UID="root" AUID="unset" - Look for auth.log/secure logs showing errors related to preauth in sshd: Jul 28 14:53:26 localhost sshd[4435]: padding error: need 37 block 8 mod 5 [preauth] Jul 28 14:53:26 localhost sshd[4435]: ssh_dispatch_run_fatal: Connection from 192.168.50.212 port 54936: message authentication code incorrect [preauth]4. Test for Vulnerability: - Use tools or scripts designed to test for this specific vulnerability: - https://github.com/asterictnl-lvdw/CVE-2024-6387 |
| References | https://github.com/asterictnl-lvdw/CVE-2024-6387 https://www.qualys.com/2024/07/01/cve-2024-6387/regression.txt |