Want to subscribe to topics you're interested in?
Become a Member

Security New OpenSSH Vulnerability Could Lead to RCE as Root on Linux Systems

Discussion in 'CentOS, Redhat & Oracle Linux News' started by pamamolf, Jul 2, 2024.

  1. pamamolf

    pamamolf Premium Member Premium Member

    4,077
    427
    83
    May 31, 2014
    Ratings:
    +833
    Local Time:
    12:37 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    OpenSSH maintainers have released security updates to contain a critical security flaw that could result in unauthenticated remote code execution with root privileges in glibc-based Linux systems.

    The vulnerability has been assigned the CVE identifier CVE-2024-6387. It resides in the OpenSSH server component, also known as sshd, which is designed to listen for connections from any of the client applications.

    "The vulnerability, which is a signal handler race condition in OpenSSH's server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems," Bharat Jogi, senior director of the threat research unit at Qualys, said in a disclosure published today. "This race condition affects sshd in its default configuration."


    The cybersecurity firm said it identified no less than 14 million potentially vulnerable OpenSSH server instances exposed to the internet, adding it's a regression of an already patched 18-year-old flaw tracked as CVE-2006-5051, with the problem reinstated in October 2020 as part of OpenSSH version 8.5p1.

    "Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with [address space layout randomization]," OpenSSH said in an advisory. "Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept."

    The vulnerability impacts versions between 8.5p1 and 9.7p1. Versions prior 4.4p1 are also vulnerable to the race condition bug unless they are patched for CVE-2006-5051 and CVE-2008-4109. It's worth noting that OpenBSD systems are unaffected as they include a security mechanism that blocks the flaw.

    Specifically, Qualys found that if a client does not authenticate within 120 seconds (a setting defined by LoginGraceTime), then sshd's SIGALRM handler is called asynchronously in a manner that's not async-signal-safe.

    Source:
    New OpenSSH Vulnerability Could Lead to RCE as Root on Linux Systems
     
  2. eva2000

    eva2000 Administrator Staff Member

    54,328
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    8:37 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Wow this could potentially be a big one. Will need to read up on it. Another article OpenSSH Vulnerability: CVE-2024-6387 FAQs and Resources | Qualys, Inc.

    So only OpenSSH <4.4p1 and >= 8.5p1 are vulnerable. If that is the case CentOS 6 OpenSSH 5.3pl1, CentOS 7 OpenSSH 7.4pl1 and EL8 OpenSSH 8.0pl1 are safe and only EL9 is impacted with OpenSSH 8.7pl1.

    Users can check OpenSSH version that is installed via command
    Code (Text):
    rpm -qa openssh
    

    CentOS 7
    Code (Text):
    rpm -qa openssh
    openssh-7.4p1-22.el7_9.x86_64
    

    AlmaLinux 8
    Code (Text):
    rpm -qa openssh
    openssh-8.0p1-24.el8.x86_64
    

    AlmaLinux 9
    Code (Text):
    rpm -qa openssh
    openssh-8.7p1-38.el9.x86_64
    
     
  3. eva2000

    eva2000 Administrator Staff Member

    54,328
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    8:37 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Redhat says only EL9 is vulnerable cve-details and mitigation is

    Mitigaton for AlmaLinux/Rocky Linux 9 (EL9)
    So you can run these 3 commands
    Code (Text):
    cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config-b4-logingracetime
    echo 'LoginGraceTime 0' >> /etc/ssh/sshd_config
    systemctl restart sshd.service
    
     
  4. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    11:37 PM
    Please note. As CMM uses the EL based OpenSSH maintained software and not the latest OpenSSH bits. There is no critical security leak, but an important one. An update is not necessary, a simple configuration adjustment is sufficient, as the source also confirms.

    The following is not personal, but generally directed to everyone. Don't be fooled by sources who believe it is a critical leak and requires a 0-day update, as even a (former) upstream EL distro claimed. Get the CVE source yourself and based on various sources, create your own strategy.

    For example to eliminate this CVE, one single line of code should be added: LoginGraceTime 0
    As once again could be reviewed in the source above.

    Have a nice day.
     
  5. eva2000

    eva2000 Administrator Staff Member

    54,328
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    8:37 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  6. eva2000

    eva2000 Administrator Staff Member

    54,328
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    8:37 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Looks like AlmaLinux folks in their EL9 packages has updated for this AlmaLinux OS 9 - CVE-2024-6387: regreSSHion

     
  7. Jon Snow

    Jon Snow Active Member

    827
    169
    43
    Jun 30, 2017
    Ratings:
    +253
    Local Time:
    6:37 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    This is fine, correct?
    Code (Text):
    rpm -q openssh
    openssh-8.7p1-38.el9_4.1.alma.1.x86_64

    Notice the 4.1.alma.1

    I'm not sure what that bit is.
     
  8. eva2000

    eva2000 Administrator Staff Member

    54,328
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    8:37 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yup that's fine. You can check changelog which includes fix CVE-2024-6387
    Code (Text):
    rpm -q openssh --changelog |head -n7
    * Fri Jun 28 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-38.1
    - Possible remote code execution due to a race condition (CVE-2024-6387)
      Resolves: RHEL-45347
    
    * Fri Jan 05 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-38
    - Fix Terrapin attack
      Resolves: CVE-2023-48795