New OpenSSH Vulnerability

Technology Darlene REPORT
New OpenSSH Vulnerability
New OpenSSH Vulnerability

Sandro Sana : 1 July 2024 16:47

A recent critical vulnerability in OpenSSH, identified as CVE-2024-6387, could allow unauthenticated remote code execution with root privileges on glibc-based Linux systems. This flaw resides in the OpenSSH server component (sshd) and is due to a race condition in the signal handler. The vulnerability was reintroduced in October 2020 in OpenSSH version 8.5p1, partially addressing an 18-year-old issue (CVE-2006-5051).

Vulnerability Details

The vulnerability affects OpenSSH versions between 8.5p1 and 9.7p1. It allows attackers to execute arbitrary code with elevated privileges, resulting in a complete system compromise. This issue is particularly relevant as there are approximately 14 million potentially vulnerable OpenSSH server instances exposed on the Internet.

CVE-2024-6387 Insights

CVE-2024-6387 is a race condition vulnerability in OpenSSH signal handler, present in versions 8.5p1-9.7p1. A race condition occurs when the concurrent execution of processes or threads leads to unexpected results, in this case allowing attackers to execute arbitrary code with root privileges without authentication. The issue was introduced in 2020 and reopened an old flaw from 2006 (CVE-2006-5051).

Technical Analysis

Support Red Hot Cyber ​​through

The race condition exploits the way OpenSSH handles process signals, allowing attackers to manipulate code execution. OpenSSH developers have been working on patches to address this issue, releasing critical updates. System administrators should apply these updates immediately to protect their systems.

Known Exploit Methods

Attackers can exploit CVE-2024-6387 using specific payloads or exploits that manipulate race conditions in process signals. Such methods may include:

  1. Privilege Escalation Payload: An attacker could send manipulated signals to execute code with root privileges.
  2. Automated Scripts: Exploits can be included in automated scripts that execute malicious commands as soon as the race condition is triggered.
  3. Penetration Testing Tools: Tools like Metasploit could incorporate specific modules to exploit this vulnerability, making it easier for less experienced hackers to attack.

Security Implications

This vulnerability is of particular concern due to the widespread use of OpenSSH and the severity of the impact, which could lead to the complete compromise of affected systems. Servers exposed to the Internet are particularly at risk, and the security community is urged to closely monitor any exploits that may be in the wild.

Give it to Shodan

According to research conducted using the Shodan portal, there are currently 6,689 hosts on the Internet with exposed port 22 and the vulnerable version of OpenSSH_9.7p1. The distribution of these hosts is as follows:

  • United States: 1,625
  • Germania: 1.097
  • France: 441
  • Russia: 440
  • Netherlands: 311
  • Chinese: 241
  • United Kingdom: 235
  • Finland: 165
  • Hong Kong: 137
  • Japan: 136
  • Canada: 135
  • Sweden: 126
  • Singapore: 112
  • Australia: 107
  • Brazil: 100
  • Switzerland: 98
  • Hungary: 98
  • Poland: 95
  • Italia: 85
  • India: 75
  • Spain: 66
  • Romania: 65

Possible Consequences

The security implications for systems with the SSH port open and exposed to the world are significant:

  • System Compromise: Attackers can gain root access, allowing them to execute any command, install malware, or even delete data.
  • Botnets and DDoS Attacks: Compromised systems can be used to build botnets and launch distributed denial-of-service (DDoS) attacks.
  • Data Theft: Attackers can access and steal sensitive data, including credentials, financial information, and personal data.
  • Persistent Threat: Once compromised, a system can be used as a persistent entry point for further attacks, both within the network and to other networks.

Recommendations for Protection

  1. Software Updates: Make sure you upgrade to the latest version of OpenSSH available.
  2. Access Restrictions: Implement firewall rules to limit unauthorized access to your servers.
  3. Continuous monitoring: Use intrusion detection systems (IDS) to monitor for suspicious activity.
  4. Security Checks: Conduct regular security audits and penetration tests to identify and mitigate any vulnerabilities.

The discovery of this vulnerability highlights the critical importance of security in open source software and the need for constant vigilance and maintenance. Incidents like this demonstrate how old vulnerabilities can resurface, requiring continued attention from developers and system administrators.

Sandro Sana
I have been working in Information Technology since 1990, over the years I have worked with different types of companies from SMEs to Enterprises and PA. Since 2003 I have been interested in communication, NLP and Public Speaking. In 2014 I entered the world of Cybersecurity and specialized in scouting and R&D of Cybersecurity solutions. CEH – EC-Council Certified Ethical Hacker, CIH EC-Council Certified Incident Handler, CISSP – Certified Information Systems Security Professional, speaker at SMAU 2017 and SMAU 2018, SMAU Academy & ITS teacher, member of the Association of Professional Computer Scientists since 2017 and Coordinator for the Friuli-Venezia Giulia region for AIP-ITCS. CLUSIT member and journalist at RedHot Cyber, Cybersecurity360 & Digital360.
Visit the author’s website
 
For Latest Updates Follow us on Google News
 

PREV MEDIAWORLD causes the price of the ASUS GAMING NOTEBOOK with RTX 4060 to DROP
NEXT is this the beginning of human colonization?

Related posts

Microsoft “steals” data from the web for AI training?

WhatsApp: The New Feature to Spy on Your Partner for FREE Every Day

With Copilot you can now manage your Android smartphone directly from your PC

work for ice cream tasters, salary 1000 euros