A newly disclosed vulnerability in OpenSSH, CVE-2024-6409, has raised concerns across multiple Linux distributions using glibc. The security flaw, which could potentially allow remote code execution, was discovered during a review of findings by the Qualys Security team.
The vulnerability specifically affects OpenSSH versions 8.7 and 8.8 and their corresponding portable releases.
This issue arises due to a race condition in handling signals in OpenSSH’s privsep (privileged separation) child process. The problem occurs when cleanup_exit(), a function not designed to be called from a signal handler, is invoked from grace_alarm_handler().
This misuse may inadvertently call other unsafe functions during signal handling, particularly when altered by downstream distribution patches.
The impact of this vulnerability is underscored by the fact that it was introduced via a patch found in Red Hat’s package of OpenSSH, notably the “openssh-7.6p1-audit.patch.”
This patch affects not only Red Hat Enterprise Linux (RHEL) 9 and its derivatives but also Fedora versions 36 and 37 and some updates to version 35.
Although Fedora has transitioned to newer versions of OpenSSH in its latest releases (38 and above), which do not contain the problematic cleanup_exit() call, the legacy versions remain vulnerable.
CVE-2024-6409 notably differs from a previously disclosed vulnerability, CVE-2024-6387, in that the new issue is triggered in a process with reduced privileges.
Luckily, this fact limits the vulnerability’s immediate impact; however, the potential for exploitation still exists, especially if not all related vulnerabilities are simultaneously addressed.
Security experts have suggested mitigation strategies such as setting OpenSSH’s “LoginGraceTime” option to zero, which is effective against both CVE-2024-6387 and CVE-2024-6409. Another mitigation, the “-e” option, is only effective against CVE-2024-6387.
For more information about the newly-founded OpenSSH vulnerability, check out this link.
