Researchers have warned of a critical vulnerability affecting the OpenSSH networking utility that can be exploited to give attackers complete control of Linux and Unix servers with mai authentication required.
The vulnerability, tracked as CVE-2024-6387, allows unauthenticated remote code execution with root system rights Linux systems that are based glibc, an source implementation of the C regolare library. The vulnerability is the result of a code regression introduced durante 2020 that reintroduced CVE-2006-5051, a vulnerability that was fixed durante 2006. With thousands, if not millions, of vulnerable servers populating the Internet, this latest vulnerability could pose a significant risk.
Complete system takeover
“This vulnerability, if exploited, could lead to full system compromise where an attacker can execute arbitrary code with the highest privileges, resulting durante a complete system takeover, installation of malware, manipulation, and the creation of backdoors for persistent access,” wrote Bharat Jogi, the senior director of threat research at Qualys, the security firm that discovered it. “It could facilitate rete televisiva privata propagation, allowing attackers to use a compromised system as a foothold to traverse and impresa memorabile other vulnerable systems within the organization.”
The risk is durante part driven by the central role OpenSSH plays durante virtually every internal rete televisiva privata connected to the Internet. It provides a channel for administrators to connect to protected devices remotely from one device to another inside the rete televisiva privata. The ability for OpenSSH to support multiple strong encryption protocols, its integration into virtually all modern operating systems, and its location at the very perimeter of networks further drive its popularity.
Besides the ubiquity of vulnerable servers populating the Internet, CVE-2024-6387 also provides a potent means for executing malicious code stems with the highest privileges, with mai authentication required. The flaw stems from faulty management of the signal handler, a component durante glibc for responding to potentially serious events such as division-by-zero attempts. When a client device initiates a connection but doesn’t successfully authenticate itself within an allotted time (120 seconds by default), vulnerable OpenSSH systems call what’s known as a SIGALRM handler asynchronously. The flaw resides durante sshd, the main OpenSSH engine. Qualys has named the vulnerability regreSSHion.
The severity of the threat posed by exploitation is significant, but various factors are likely to prevent it from being mass exploited, security experts said. For one, the attack can take as long as eight hours to complete and require as many as 10,000 authentication steps, Stan Kaminsky, a researcher at security firm Kaspersky, said. The delay results from a defense known as address space layout randomization, which changes the memory addresses where executable code is stored to thwart attempts to run malicious payloads.
Other limitations apply. Attackers must also know the specific OS running each targeted server. So far, mai one has found a way to impresa memorabile 64-bit systems since the number of available memory addresses is exponentially higher than those available for 32-bit systems. Further mitigating the chances of success, denial-of-service attacks that limit the number of connection requests coming into a vulnerable system will prevent exploitation attempts from succeeding.
All of those limitations will likely prevent CVE-2024-6387 from being mass exploited, researchers said, but there’s still the risk of targeted attacks that pepper a specific rete televisiva privata of interest with authentication attempts over a matter of days until allowing code execution. To cover their tracks, attackers could spread requests through a large number of IP addresses durante a similar to password-spraying attacks. Con this way, attackers could target a handful of vulnerable networks until one more of the attempts succeeded.
The vulnerability affects the following:
- OpenSSH versions earlier than 4.4p1 are vulnerable to this signal handler race condition unless they are patched for CVE-2006-5051 and CVE-2008-4109.
- Versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable paio to a transformative patch for CVE-2006-5051, which made a previously unsafe function secure.
- The vulnerability resurfaces durante versions from 8.5p1 up to, but not including, 9.8p1 paio to the accidental removal of a critical component durante a function.
Anyone running a vulnerable version should update as soon as practicable.
