New OpenSSH Vulnerability Discovered: Potential Remote Code Execution Risk
Summary:
A new vulnerability, designated CVE-2024-6409 (CVSS score: 7.0), has been discovered in OpenSSH versions 8.7p1 and 8.8p1, specifically those shipped with Red Hat Enterprise Linux 9 (RHEL 9). The current versions of RHEL 7 and RHEL 8 are safe. This vulnerability is distinct from the recently disclosed CVE-2024-6387 (RegreSSHion) and exploits a race condition in signal handling to potentially enable remote code execution (RCE) within the unprivileged child process of the SSH daemon (sshd). CVE-2024-6409 shares similarities with CVE-2024-6387 (RegreSSHion). Exploitation relies on an unpredictable race condition, necessitating a huge number of attempts to overcome. However, a key difference lies in the targeted process. CVE-2024-6387 impacted the parent server process, which holds greater privileges. In contrast, CVE-2024-6409 targets the child process, resulting in a reduced potential impact for attackers. Despite this distinction, successful exploitation of either vulnerability could still provide attackers with a foothold on the system. This could allow them to move laterally within the network, escalate privileges, or deploy malware via RCE. There is no evidence of active exploitation of CVE-2024-6409 yet. However, an unknown threat actor has been recently been observed exploiting CVE-2024-6387 to target servers located in China according to Veriti’s report. Although discovered on the same day, CVE-2024-6409 was coordinated to be disclosed separately afterward because Red Hat already had a fix for CVE-2024-6387 in the pipeline and wasn't ready to add a fix for CVE-2024-6409 at the same time leading to two different disclosure dates. All versions of RHEL 9 have patched CVE-2024-6387 as of July 8th, 2024. However, CVE-2024-6409 still affects Red Hat Enterprise Linux 9 as of this time.
Security Officer Comments:
The recent discovery of an active exploit for CVE-2024-6387 underscores the importance of patching both vulnerabilities promptly. The initial vector of the cybercriminal attack utilizing originates from the IP address 108.174.58[.]28, which hosts a directory of exploit tools for automating the infiltration of vulnerable SSH servers. This likely indicates this attacker using CVE-2024-6387 is potentially performing attacks via MaaS (Malware-as-a-service), suggesting that exploiting these OpenSSH vulnerabilities requires no barrier of entry for script kiddies and could result in widespread exploitation of both vulnerabilities. Their differences in exploitability for particular scenarios allows the potential attacker to choose the most effective option. This incident highlights the importance of staying informed about the latest security advisories and implementing patches as soon as they are released to minimize the window of opportunity for attackers.
While RHEL 9 users utilizing OpenSSH versions 8.7p1 and 8.8p1 are the ones primarily impacted by CVE-2024-6409, all organizations leveraging OpenSSH should exercise caution. It's crucial to maintain a proactive security posture by subscribing to security advisories from relevant vendors and implementing patches in a timely manner. Organizations should also consider implementing additional security measures such as system hardening and user access controls to further mitigate potential risks.
Suggested Corrections:
Addressing vulnerabilities in OpenSSH, which enables remote code execution on Linux systems, demands a focused and layered security approach. Here are concise steps and strategic recommendations for enterprises to safeguard against this significant threat:
- Patch Management: Quickly apply available patches for OpenSSH and prioritize ongoing update processes.
- Enhanced Access Control: Limit SSH access through network-based controls to minimize the attack risks.
- Network Segmentation and Intrusion Detection: Divide networks to restrict unauthorized access and lateral movements within critical environments and deploy systems to monitor and alert on unusual activities indicative of exploitation attempts.
Link(s):
https://thehackernews.com/2024/07/new-openssh-vulnerability-discovered.html
https://www.openwall.com/lists/oss-security/2024/07/08/2