A new security vulnerability has been discovered within select versions of the OpenSSH secure networking suite, potentially exposing systems to remote code execution (RCE) risks.
Tracked under CVE-2024-6409 with a CVSS score of 7.0, this OpenSSH vulnerability affects versions 8.7p1 and 8.8p1 of OpenSSH, specifically those shipped with Red Hat Enterprise Linux 9. Security researcher Alexander Peslyak, widely known as Solar Designer, discovered the vulnerability during a comprehensive review following the disclosure of CVE-2024-6387, also known as RegreSSHion.
This new OpenSSH vulnerability centers around a race condition in signal handling within the privsep child process of OpenSSH. Solar Designer detailed this finding in his communication to the security community: “OpenSSH versions 8.7 and 8.8 call cleanup_exit() from grace_alarm_handler() when operating in the privsep child process. cleanup_exit() was not originally intended to be invoked from a signal handler and may trigger other async-signal-unsafe functions.”
OpenSSH Vulnerability Targets Red Hat Enterprise Linux 9
Solar Designer highlighted that while the upstream versions of OpenSSH 8.7p1 did not initially trigger async-signal-unsafe functions, downstream patches in distributions like Red Hat’s openssh-7.6p1-audit.patch altered this behavior. Specifically, this patch, present in Red Hat Enterprise Linux 9, introduces modifications to cleanup_exit() that exacerbate the vulnerability.
In practical terms, this vulnerability manifests due to the signal handler’s race condition, potentially leading to remote code execution scenarios. Notably, the risk differs from CVE-2024-6387 in that the exploit occurs within the lower-privileged privsep child process, offering a reduced immediate impact compared to its predecessor.
Despite the lowered immediate impact, the exploitability and implications of CVE-2024-6409 remain significant, especially in environments where stringent security measures are not uniformly applied. Solar Designer, in his discussions with Qualys and the security community, pointed out the nuanced differences in mitigation strategies between CVE-2024-6409 and CVE-2024-6387:
While both vulnerabilities can be mitigated with the ‘LoginGraceTime 0’ setting, the ‘-e’ mitigation is effective against CVE-2024-6387 but not entirely against CVE-2024-6409. This distinction underscores the need for specific and targeted security measures to address each vulnerability adequately.”
Qualys Confirms Solar Designer’s OpenSSH Vulnerability
Qualys, a prominent security advisory firm, corroborated Solar Designer’s findings and added insights into the technical aspects of the vulnerability. They noted: “The vulnerability in OpenSSH’s signal handling mechanism, particularly within the privsep child process, represents a critical exposure. The race condition introduces potential avenues for remote code execution, albeit within the constraints of the lower-privileged child process.”
Qualys also highlighted additional challenges posed by downstream patches, such as those seen in Red Hat’s distributions, which inadvertently exacerbated the vulnerability’s severity. Specifically, modifications to cleanup_exit() in openssh-7.6p1-audit.patch was intended to enhance audit logging but inadvertently increased the vulnerability’s scope.
Solar Designer expressed regret for the delayed disclosure of CVE-2024-6409 relative to CVE-2024-6387, citing coordination challenges with Red Hat’s internal release schedules: “I apologize for the separate disclosure of CVE-2024-6409, which could have streamlined efforts within the security community. Red Hat had already integrated fixes for CVE-2024-6387 into their pipeline, delaying simultaneous mitigation efforts for CVE-2024-6409.”
The impact of CVE-2024-6409 extends beyond immediate security patches, as it necessitates a thorough analysis of downstream patches across various Linux distributions. Solar Designer emphasized the importance of comprehensive security audits across distributions to ensure uniform mitigation strategies:
“Effective mitigation strategies must account for downstream modifications like those in Red Hat’s openssh-7.6p1-audit.patch. These alterations, while intended to bolster security measures, inadvertently expanded the vulnerability’s attack surface.”
In response to these findings, Qualys noted potential collateral issues stemming from the audit patch’s implementation, specifically regarding erroneous logging of SSH host key fingerprints: “The audit patch in Red Hat’s OpenSSH package inadvertently led to multiple instances of logging SSH host key fingerprints, raising concerns about the integrity of audit logs in affected systems.”
Despite these challenges, the collaborative efforts between researchers like Solar Designer and firms like Qualys highlight ongoing efforts to strengthen OpenSSH’s security infrastructure. Moving forward, Solar Designer and Qualys encourage users and administrators to remain vigilant and apply patches promptly to mitigate the risks posed by CVE-2024-6409.