On July 1, 2024, OpenSSH released version 9.8 that includes security update for a critical vulnerability in sshd(8).
Recent discovery of Qualys Threat Research Unit (TRU) reveals that this vulnerability is a race condition in the signal handler, specifically in the handling of when a client fails to authenticate within a specified grace period (). This issue can lead to a crash or even remote code execution and was present in Portable OpenSSH versions between 8.5p1 and 9.7p1 (inclusive).
The vulnerability is tracked as CVE-2024-6387 and has been assigned a CVSS score of 8.1 (HIGH).
What Is the Problem?
When an SSH client does not authenticate within the (120 seconds by default), the signal handler in sshd is called. This handler calls various functions that are not safe to execute asynchronously, such as . This unsafe execution can cause sshd to enter an inconsistent state, creating a potential for exploitation.
The History and Affected Versions
This vulnerability is actually a regression (hence the name "regreSSHion") of a previously fixed CVE-2006-5051 issue reported in 2006. The problem reappeared in October 2020 with the release of OpenSSH 8.5p1 due to a change in the logging infrastructure. As a result, Versions of OpenSSH up to 4.4p1, plus versions from 8.5p1 to 9.7p1 running on glibc-Linux are vulnerable.
The Exploit
The vulnerability is exploitable on systems using the glibc library, as calls functions like that are not safe to execute in an asynchronous signal handler. An attacker can exploit this by forcing sshd into a specific state right as the signal is delivered.
Exploitation Process:
Theoretical Path: Find a code path that, if interrupted at the right moment, leaves sshd in an inconsistent state. Practical Path: Achieve this state reliably and repeatedly. Timing: Maximize the chances of interrupting sshd at the right moment remotely. By methodically exploiting old and new versions of OpenSSH on and leveraging specific behaviors of and , attackers can achieve remote code execution.
Mitigation and Fixes
The OpenSSH team has released a fix ( commit 81c1099 ) that moves the unsafe signal handling code out of the signal handler context. This fix is part of a larger update aimed at enhancing the security and robustness of sshd.
To protect your systems, update OpenSSH to version 9.8 or later. This will ensure that your sshd is no longer vulnerable to this issue.
Temporary Workarounds
If updating OpenSSH is not immediately possible, you can:
Set to : This mitigates the issue but exposes sshd to potential denial-of-service attacks by exhausting all connection slots. Comment out Unsafe Code: As a quick fix, comment out the unsafe logging code in the signal handler function.
You can also hide your servers from the public by using NetBird, an overlay network and security platform that doesn't require opening ports to the public internet when connecting your machines. This will reduce the risk of exploitation until you can update OpenSSH. Simply install NetBird on your devices and close your public SSH ports.
Acknowledgments
This discovery highlights the continuous collaboration and dedication of the OpenSSH development team and security researchers. Their efforts ensure that OpenSSH remains one of the most secure and reliable software in the world.