RCE Vulnerability In OpenSSH Server

Uploaded on 2024-07-02 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Cyber security, problems often return, but rarely with such severity as seen in CVE-2024-6387, which has been dubbed "OpenSSHion." OpenSSH is a powerful collection of tools for remotely controlling networked computers and transferring data between them. The new vulnerability, assigned CVE-2024-6387, allows for unauthenticated remote code execution (RCE) with root privileges, posing a severe threat to affected systems.

Analysis of the cloud environments has found that 69% of organisations are using OpenSSH, either through a dependency or directly, and of those organisations 70% are using a vulnerable OpenSSH version.

SSH is widely used for accessing Kubernetes nodes and they’re also used sometimes within Kubernetes workloads, therefore this has a huge impact on cloud systems. The problem has been known about since 2005 but has now resurfaced, leaving millions of systems vulnerable to unauthorised control. 

This discovery follows another major vulnerability found in the XZ Utils library just a few months ago, highlighting ongoing security challenges. Although CVE-2024-6387 is a serious flaw, it’s very hard to exploit in practice, and so far, no one has managed to use it to attack remote machines. Even so, it’s crucial to understand the risk and take steps to protect your systems.

An attacker could gain complete control of the affected system by executing arbitrary code with root privileges. This could allow the installation of malware, the creation of backdoors, and the exfiltration or manipulation of data. In addition, gaining root privileges could allow the intruder to disable or bypass critical security systems to maintain a permanent presence.
 
Commenting on this, Thomas Richards, principal consultant at the Synopsys Software Integrity Group, said, "OpenSSH has been the standard for SSH installations for a very long time.  With OpenSSH being used pretty much everywhere, if this vulnerability is not patched, organisations are in danger of having their critical systems compromised.  Organisations need to roll out this patch immediately for any internet-facing systems, including cloud systems.  As an additional layer of security, firewall rules should be enabled only to allow SSH connections from trusted networks... I suspect we’ll see a rise in compromises of embedded and IoT systems, as many consumer models are meant to be disposable and rarely get updates..."

"A vulnerability like this could be used by attackers over a long period of time, as older systems do not get updates or as organisations are slow to patch."  Richards said.

Technical Details

The new vulnerability has been discovered in OpenSSH’s server when a client fails to authenticate within the current time period, which is set to 120 seconds in current versions and 600 seconds in older versions. This problem is not completely new and is part of a previously identified issue reported in 2006. The earlier vulnerability also involved a signal handler race condition in OpenSSH versions prior to 4.4, which could lead to a denial of service or potentially allow remote code execution.

The implications of this vulnerability are particularly severe on glibc-based Linux systems, and creates a option where an attacker can use an arbitrary code as root without needing to authenticate. This is because OpenSSH privileged code operates with full system privileges and lacks sandboxing.

Exploitation

Exploiting the signal handler race condition vulnerability in OpenSSH requires a deep understanding of timing attacks and memory manipulation. The following section explains the steps an attacker would take to exploit this vulnerability, along with an example pseudocode to illustrate the process.

First, the attacker initiates multiple connections to the target OpenSSH server, which causes the server to raise the SIGALRM signal. Exploiting this vulnerability is not straightforward and typically requires around 10,000 attempts on average. Each attempt resets the LoginGraceTime timer, giving the attacker a new window to trigger the vulnerability.

During the exploitation process, the attacker adjusts the timing of their inputs based on feedback from previous attempts. This helps to fine-tune the timing required to successfully interrupt the signal handler at the critical moment. Modern systems have defences like Address Space Layout Randomisation (ASLR) and No-eXecute (NX) to prevent such exploits. 

The attacker leverages predictable memory patterns and advanced timing techniques to bypass these protections. Successful exploitation allows the attacker to overwrite critical memory structures, leading to the execution of arbitrary code. 

Security Teams Are Advised To Take The Following Action

  • Patch management: Apply patches for OpenSSH immediately and ensure continuous update processes.
  • Enhanced access control: Restrict SSH access via network-based controls.
  • Network segmentation and intrusion detection: Segregate networks and deploy monitoring systems to detect exploitation attempts.
  • Temporary mitigation: If the team can’t apply patches right away, configure LoginGraceTime to 0 to prevent exploitation, although this exposes systems to potential denial-of-service.

Marc Manzano, general manager for cybersecurity at SandboxAQ commented "... Any vulnerability allowing remote code execution opens the door to malicious actors that can have catastrophic consequences. Modern cryptography management platforms help companies monitor where this vulnerable version of OpenSSH is present across the IT infrastructure, providing an effective and seamless solution to address this situation in a timely manner."

Armorsec   |   Qualys   |    Picus Seceuirity    |    SC Magazine   |   Wiz.io   |   Orca Security   |   Synopsis   

Image: Ideogram

You Might Also Read: 

Securing Kubernetes Helm: Vulnerabilities & Defensive Strategies:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« AI Has The Power To Transform Healthcare Cyber Security
London Hospitals Were Attacked By Russian Hackers »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Bryan Cave LLP

Bryan Cave LLP

Bryan Cave LLP is a global business and litigation law firm. Practice areas include Data Privacy and Security.

XLAB

XLAB

XLAB is an R&D company with a strong research background in the fields of distributed systems, cloud computing, security and dependability of systems.

Global Lifecycle Solutions EMEA (Global EMEA)

Global Lifecycle Solutions EMEA (Global EMEA)

Global EMEA provides full lifecycle services to corporate Clients covering procurement, configuration, support, maintenance and end-of-life asset management.

Smart Protection

Smart Protection

Smart Protection are experts in brand and trademark protection - we fight against counterfeits and unauthorized usages of brands with machine learning technology.

Onsist

Onsist

Onsist brand protection services provide proactive defense against fraudulent use of your brand online.

Cloudrise

Cloudrise

Cloudrise are elevating cloud security, data protection, and privacy through assessment, technology enablement, and process automation.

Stratum Security

Stratum Security

Stratum Security is an information security consulting company that focuses on providing clear and concise risk guidance to its clients through high quality assessment services.

Cyber Security Forum Initiative (CSFI)

Cyber Security Forum Initiative (CSFI)

CSFI is a non-profit organization with a mission to provide Cyber Warfare awareness, guidance, and security solutions through collaboration, education, volunteer work, and training.

L3Harris Technologies

L3Harris Technologies

L3Harris Technologies is a global aerospace and defense technology innovator, delivering solutions to meet mission-critical needs across air, land, sea, space and cyber domains.

Infopercept Consulting

Infopercept Consulting

Infopercept is a leading cybersecurity company in India, providing a critical layer of security to protect business information, infrastructure & assets across the organization.

Porto Research, Technology & Innovation Center (PORTIC)

Porto Research, Technology & Innovation Center (PORTIC)

PORTIC brings together several research centers and groups from P.PORTO in a single space, forming a superstructure dedicated to research, technology transfer, innovation and entrepreneurship.

Venari Security

Venari Security

Venari is an award-winning cybersecurity SaaS provider that has developed an ETA (Encrypted Traffic Analysis) platform which fundamentally changes the way encrypted traffic is analysed.

Cyber Defense Technologies (CDT)

Cyber Defense Technologies (CDT)

Cyber Defense Technologies provides services and turn-key solutions to secure and maintain the integrity of your organization’s systems and data against attacks.

BCyber

BCyber

BCyber is a Swiss Cyber Security company that provides security products, training, and managed services to protect diverse IT and OT environments against cyber, physical, and cyber-physical threats.

Nova Microsystems

Nova Microsystems

Nova's mission is to revolutionize cybersecurity through continuous data analysis and dynamic AI-driven encryption.

CelcomDigi

CelcomDigi

CelcomDigi aspire to be Malaysia’s top Telco-Tech company, transforming beyond core connectivity to lead digitalization and innovation as part of nation-building.