Contact
Red Hot Cyber
Cybersecurity, Cybercrime News and Vulnerability Analysis
Home

OpenSSH: An RCE run as Root puts 14 million instances on Linux at risk

2 July 2024 07:53

A recent critical vulnerability in OpenSSH, identified as CVE-2024-6387, could allow unauthenticated remote code execution with root privileges on glibc-based Linux systems. This flaw resides in the server component of OpenSSH (sshd) and is due to a race condition in the signal handler. The vulnerability was reintroduced in October 2020 in OpenSSH version 8.5p1, partially fixing an 18-year-old problem (CVE-2006-5051).

Details of the Vulnerability

The vulnerability affects OpenSSH versions between 8.5p1 and 9.7p1. It allows attackers to execute arbitrary code with elevated privileges, completely compromising the system. This issue is particularly relevant because there are approximately 14 million potentially vulnerable OpenSSH server instances exposed on the Internet.

Insight into CVE-2024-6387

The CVE-2024-6387 vulnerability is a race condition in the OpenSSH signal handler, present in versions 8.5p1-9.7p1. A race condition occurs when concurrent execution of processes or threads leads to unexpected results, in this case allowing attackers to execute arbitrary code with root privileges without authentication. The problem was introduced in 2020 and reopened an old flaw from 2006 (CVE-2006-5051).

Advertising

Technical Analysis

The race condition exploits the way OpenSSH handles process signals, allowing attackers to manipulate code execution. OpenSSH developers have been working on patches to address this problem, releasing critical updates. System administrators need to apply these updates immediately to protect their systems.

Known Exploit

Attackers can exploit CVE-2024-6387 by using specific payloads or exploits that manipulate the race condition in process signals. Such methods may include:

  • Privilege Escalation Payload: An attacker could send signals manipulated in such a way as to execute code with root privileges.
  • Automated Scripts: Exploits can be included in automated scripts that execute malicious commands as soon as the race condition is triggered.
  • Penetration Testing Tools: Tools such as Metasploit could incorporate specific modules to exploit this vulnerability, facilitating attacks by less experienced hackers.

Security Implications.

This vulnerability is of particular concern because of the widespread deployment of OpenSSH and the severity of the impact, which could lead to the complete compromise of affected systems. Internet-exposed servers are particularly at risk, and the security community is called upon to closely monitor any exploits in circulation.

Data from Shodan

According to research conducted using the Shodan portal, there are currently 6,689 hosts on the Internet with port 22 exposed and the vulnerable version of OpenSSH_9.7p1. The distribution of these hosts is as follows:

  • United States: 1,625
  • Germany: 1,097
  • France: 441
  • Russia: 440
  • Netherlands: 311
  • China: 241
  • United Kingdom: 235
  • Finland: 165
  • Hong Kong: 137
  • Japan: 136
  • Canada: 135
  • Sweden: 126
  • Singapore: 112
  • Australia: 107
  • Brazil: 100
  • Switzerland: 98
  • Hungary: 98
  • Poland: 95
  • Italy: 85
  • India: 75
  • Spain: 66
  • Romania: 65

Possible Implications.

The security implications for systems with the SSH port open and exposed to the world are significant:

  • System Compromise: Attackers can gain root access, allowing them to execute any command, install malware, or even delete data.
  • Botnets and DDoS Attacks: Compromised systems can be used to build botnets and launch distributed denial of service (DDoS) attacks.
  • Data Theft: Attackers can access and steal sensitive data, including credentials, financial information, and personal information.

Persistent Threat: Once compromised, a system can be used as a persistent access point for further attacks, both within the network and to other networks.

Protection Recommendations

  • Software Updates: Be sure to upgrade to the latest version of OpenSSH available.
  • Access Restrictions: Implement firewall rules to restrict unauthorized access to servers.
  • Continuous Monitoring: Use intrusion detection systems (IDS) to monitor suspicious activity.
  • Security Controls: Conduct regular security audits and penetration tests to identify and mitigate any vulnerabilities.

The discovery of this vulnerability underscores the crucial importance of security in open source software and the need for constant vigilance and maintenance. Incidents such as this demonstrate how old vulnerabilities can reoccur, requiring continued attention from developers and system administrators.


Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

Sandro Sana 300x300
CISO, Head of Cybersecurity Eurosystem Group. Member of the Red Hot Cyber Dark Lab team and director of the Red Hot Cyber Podcast. He has worked in Information Technology since 1990 and specialized in Cybersecurity since 2014 (CEH - CIH - CISSP - CSIRT Manager - CTI Expert). Speaker at SMAU 2017 and SMAU 2018, lecturer for SMAU Academy & ITS, and member of ISACA. He is also a member of the Scientific Committee of the national Competence Center Cyber 4.0, where he contributes to the strategic direction of research, training, and innovation activities in the cybersecurity. author of the book "IL FUTURO PROSSIMO"
Areas of Expertise: Cyber Threat Intelligence, NIS2, Security Governance & Compliance, CSIRT & Crisis Management, Research, Disclosure, and Cyber Culture
Visita il sito web dell'autore