OpenSSH: An RCE run as Root puts 14 million instances on Linux at risk

Sandro Sana : 2 July 2024 07:53

A recent critical vulnerability in OpenSSH, identified as CVE-2024-6387, could allow unauthenticated remote code execution with root privileges on glibc-based Linux systems. This flaw resides in the server component of OpenSSH (sshd) and is due to a race condition in the signal handler. The vulnerability was reintroduced in October 2020 in OpenSSH version 8.5p1, partially fixing an 18-year-old problem (CVE-2006-5051).

Details of the Vulnerability

The vulnerability affects OpenSSH versions between 8.5p1 and 9.7p1. It allows attackers to execute arbitrary code with elevated privileges, completely compromising the system. This issue is particularly relevant because there are approximately 14 million potentially vulnerable OpenSSH server instances exposed on the Internet.

Insight into CVE-2024-6387

The CVE-2024-6387 vulnerability is a race condition in the OpenSSH signal handler, present in versions 8.5p1-9.7p1. A race condition occurs when concurrent execution of processes or threads leads to unexpected results, in this case allowing attackers to execute arbitrary code with root privileges without authentication. The problem was introduced in 2020 and reopened an old flaw from 2006 (CVE-2006-5051).

Technical Analysis

Acquista il corso Dark Web & Cyber Threat Intelligence (e-learning version)
Il Dark Web e la Cyber Threat Intelligence rappresentano aree critiche per comprendere le minacce informatiche moderne. Tra ransomware, data breach e attività illecite, le organizzazioni devono affrontare sfide sempre più complesse per proteggere i propri dati e le infrastrutture. Il nostro corso “Dark Web & Cyber Threat Intelligence” ti guiderà attraverso i meccanismi e le strategie utilizzate dai criminali informatici, fornendoti competenze pratiche per monitorare, analizzare e anticipare le minacce.

Accedi alla pagina del corso condotto dall'Prof. Pietro Melillo sulla nostra Academy e segui l'anteprima gratuita.

Per un periodo limitato, potrai utilizzare il COUPON CTI-16253 che ti darà diritto ad uno sconto del 20% sul prezzo di copertina del corso
Per ulteriori informazioni, scrivici ad [email protected] oppure scrivici su Whatsapp al 379 163 8765

Supporta RHC attraverso:

L'acquisto del fumetto sul Cybersecurity Awareness

Ti piacciono gli articoli di Red Hot Cyber? Non aspettare oltre, iscriviti alla newsletter settimanale per non perdere nessun articolo

The race condition exploits the way OpenSSH handles process signals, allowing attackers to manipulate code execution. OpenSSH developers have been working on patches to address this problem, releasing critical updates. System administrators need to apply these updates immediately to protect their systems.

Known Exploit

Attackers can exploit CVE-2024-6387 by using specific payloads or exploits that manipulate the race condition in process signals. Such methods may include:

Privilege Escalation Payload: An attacker could send signals manipulated in such a way as to execute code with root privileges.
Automated Scripts: Exploits can be included in automated scripts that execute malicious commands as soon as the race condition is triggered.
Penetration Testing Tools: Tools such as Metasploit could incorporate specific modules to exploit this vulnerability, facilitating attacks by less experienced hackers.

Security Implications.

This vulnerability is of particular concern because of the widespread deployment of OpenSSH and the severity of the impact, which could lead to the complete compromise of affected systems. Internet-exposed servers are particularly at risk, and the security community is called upon to closely monitor any exploits in circulation.

Data from Shodan

According to research conducted using the Shodan portal, there are currently 6,689 hosts on the Internet with port 22 exposed and the vulnerable version of OpenSSH_9.7p1. The distribution of these hosts is as follows:

United States: 1,625

Germany: 1,097
France: 441
Russia: 440

Netherlands: 311
China: 241
United Kingdom: 235

Finland: 165
Hong Kong: 137
Japan: 136

Canada: 135
Sweden: 126
Singapore: 112

Australia: 107
Brazil: 100
Switzerland: 98

Hungary: 98
Poland: 95
Italy: 85

India: 75
Spain: 66
Romania: 65

Possible Implications.

The security implications for systems with the SSH port open and exposed to the world are significant:

System Compromise: Attackers can gain root access, allowing them to execute any command, install malware, or even delete data.
Botnets and DDoS Attacks: Compromised systems can be used to build botnets and launch distributed denial of service (DDoS) attacks.

Data Theft: Attackers can access and steal sensitive data, including credentials, financial information, and personal information.

Persistent Threat: Once compromised, a system can be used as a persistent access point for further attacks, both within the network and to other networks.

Protection Recommendations

Software Updates: Be sure to upgrade to the latest version of OpenSSH available.

Access Restrictions: Implement firewall rules to restrict unauthorized access to servers.
Continuous Monitoring: Use intrusion detection systems (IDS) to monitor suspicious activity.
Security Controls: Conduct regular security audits and penetration tests to identify and mitigate any vulnerabilities.

The discovery of this vulnerability underscores the crucial importance of security in open source software and the need for constant vigilance and maintenance. Incidents such as this demonstrate how old vulnerabilities can reoccur, requiring continued attention from developers and system administrators.

Sandro Sana
Member of the Dark Lab group. He has been dealing with Information Technology since 1990 and Cybersecurity since 2014, (CEH - CIH - CISSP - CSIRT Manager - CTI Expert), speaker at SMAU 2017 and SMAU 2018, SMAU Academy & ITS teacher, CLUSIT member and journalist at RedHot Cyber, Cybersecurity360 & Digital360.
Visita il sito web dell'autore

Red Hot Cyber