Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.

OpenSSH: An RCE run as Root puts 14 million instances on Linux at risk

Sandro Sana : 2 July 2024 07:53

A recent critical vulnerability in OpenSSH, identified as CVE-2024-6387, could allow unauthenticated remote code execution with root privileges on glibc-based Linux systems. This flaw resides in the server component of OpenSSH (sshd) and is due to a race condition in the signal handler. The vulnerability was reintroduced in October 2020 in OpenSSH version 8.5p1, partially fixing an 18-year-old problem (CVE-2006-5051).

Details of the Vulnerability

The vulnerability affects OpenSSH versions between 8.5p1 and 9.7p1. It allows attackers to execute arbitrary code with elevated privileges, completely compromising the system. This issue is particularly relevant because there are approximately 14 million potentially vulnerable OpenSSH server instances exposed on the Internet.

Insight into CVE-2024-6387

The CVE-2024-6387 vulnerability is a race condition in the OpenSSH signal handler, present in versions 8.5p1-9.7p1. A race condition occurs when concurrent execution of processes or threads leads to unexpected results, in this case allowing attackers to execute arbitrary code with root privileges without authentication. The problem was introduced in 2020 and reopened an old flaw from 2006 (CVE-2006-5051).

Technical Analysis

The race condition exploits the way OpenSSH handles process signals, allowing attackers to manipulate code execution. OpenSSH developers have been working on patches to address this problem, releasing critical updates. System administrators need to apply these updates immediately to protect their systems.

Known Exploit

Attackers can exploit CVE-2024-6387 by using specific payloads or exploits that manipulate the race condition in process signals. Such methods may include:

  • Privilege Escalation Payload: An attacker could send signals manipulated in such a way as to execute code with root privileges.
  • Automated Scripts: Exploits can be included in automated scripts that execute malicious commands as soon as the race condition is triggered.
  • Penetration Testing Tools: Tools such as Metasploit could incorporate specific modules to exploit this vulnerability, facilitating attacks by less experienced hackers.

Security Implications.

This vulnerability is of particular concern because of the widespread deployment of OpenSSH and the severity of the impact, which could lead to the complete compromise of affected systems. Internet-exposed servers are particularly at risk, and the security community is called upon to closely monitor any exploits in circulation.

Data from Shodan

According to research conducted using the Shodan portal, there are currently 6,689 hosts on the Internet with port 22 exposed and the vulnerable version of OpenSSH_9.7p1. The distribution of these hosts is as follows:

  • United States: 1,625
  • Germany: 1,097
  • France: 441
  • Russia: 440
  • Netherlands: 311
  • China: 241
  • United Kingdom: 235
  • Finland: 165
  • Hong Kong: 137
  • Japan: 136
  • Canada: 135
  • Sweden: 126
  • Singapore: 112
  • Australia: 107
  • Brazil: 100
  • Switzerland: 98
  • Hungary: 98
  • Poland: 95
  • Italy: 85
  • India: 75
  • Spain: 66
  • Romania: 65

Possible Implications.

The security implications for systems with the SSH port open and exposed to the world are significant:

  • System Compromise: Attackers can gain root access, allowing them to execute any command, install malware, or even delete data.
  • Botnets and DDoS Attacks: Compromised systems can be used to build botnets and launch distributed denial of service (DDoS) attacks.
  • Data Theft: Attackers can access and steal sensitive data, including credentials, financial information, and personal information.

Persistent Threat: Once compromised, a system can be used as a persistent access point for further attacks, both within the network and to other networks.

Protection Recommendations

  • Software Updates: Be sure to upgrade to the latest version of OpenSSH available.
  • Access Restrictions: Implement firewall rules to restrict unauthorized access to servers.
  • Continuous Monitoring: Use intrusion detection systems (IDS) to monitor suspicious activity.
  • Security Controls: Conduct regular security audits and penetration tests to identify and mitigate any vulnerabilities.

The discovery of this vulnerability underscores the crucial importance of security in open source software and the need for constant vigilance and maintenance. Incidents such as this demonstrate how old vulnerabilities can reoccur, requiring continued attention from developers and system administrators.

Sandro Sana
Member of the Dark Lab group. He has been involved in Information Technology since 1990, over the years he has worked with different types of companies from SMEs to Enterprise and the PA. Since 2003 he began to be interested in communication, NLP and Public Speaking. In 2014 he specialized in scouting and R&D of solutions in Cybersecurity. CEH - EC-Council Certified Ethical Hacker, CIH EC-Council Certified Incident Handler, CISSP - Certified Information Systems Security Professional, speaker at SMAU 2017 and SMAU 2018, lecturer at SMAU Academy & ITS, member of the Association of Information Technology Professionals since 2017 and Coordinator for the Friuli-Venezia Giulia region for AIP-ITCS. CLUSIT member and journalist at RedHot Cyber, Cybersecurity360 & Digital360.
Visita il sito web dell'autore