Introduction
OpenSSH users, take note: a new vulnerability has surfaced, known as CVE-2024-6387 or "RegreSSHion." This vulnerability affects OpenSSH versions 9.0 to 9.3, and potentially older versions depending on specific configurations. Let's delve into the details of this vulnerability, its history, and the measures taken to address it.
The Vulnerability
Affected Versions: OpenSSH 9.0 to 9.3, and possibly older versions based on configuration.
A Brief History of Discovery
The vulnerability has a complex history, characterized by periods of vulnerability, safety, and then vulnerability again:
OpenSSH < 4.4p1: These versions were susceptible to a signal handler race condition unless patched against CVE-2006-5051 or CVE-2008-4109.
4.4p1 ≤ OpenSSH < 8.5p1: These versions were safe due to a modification in the sigdie() function introduced by the CVE-2006-5051 patch.
8.5p1 ≤ OpenSSH < 9.8p1: Vulnerability re-emerged due to the accidental removal of a crucial #ifdef in the sigdie() function by commit 752250c. This regression was introduced in October 2020 with OpenSSH 8.5p1.
The vulnerability allows remote exploitation on glibc-based Linux systems, where the syslog() function invokes async-signal-unsafe functions.
Qualys' whitepaper states that exploiting this vulnerability is highly complex, typically requiring around 10,000 attempts to succeed under lab conditions. Given login timeouts and maximum concurrent connections, about 5 attempts can be made per minute, meaning it would take around 1.4 days for 10,000 attempts in an ideal lab setting. Real-world conditions, such as network lag and SSH scanner activity, could significantly increase this time.
A proof-of-concept (PoC) exists for certain 32-bit versions of OpenSSH with a static glibc base address, which does not require ASLR bypass. However, newer 64-bit systems would take much longer to exploit due to needing to bypass ASLR. Therefore, widespread exploitation of this vulnerability is unlikely due to the complexity and time needed.
Note about ASLR:
Address Space Layout Randomization (ASLR) is a computer security technique used to protect systems from certain types of attacks, particularly buffer overflow and return-to-libc attacks. ASLR randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap, and libraries. This randomization makes it more difficult for an attacker to predict the memory addresses used by the system, thereby reducing the likelihood of successfully exploiting a vulnerability.
Regardless of the complexity, due to significant security implications the vulnerability is rated as a CVSS High with a score of 8.1.
The Fix
On June 6, 2024, the signal handler race condition was fixed by commit 81c1099. This update introduced a new feature in sshd(8) to penalize problematic client behaviors. The key aspect of this fix was moving the async-signal-unsafe code from sshd's SIGALRM handler to its listener process, where it could be handled synchronously. This approach not only addressed the specific vulnerability but also mitigated potential future exploits of a similar nature.
The clever part about this update is that it serves multiple purposes:
New Feature: It was introduced as a feature to handle unwanted connections.
Security Improvement: It helps protect against a type of exploit that targets similar but unknown vulnerabilities.
Specific Fix: It fixes a particular security flaw by moving risky code from one part of the program to another. Specifically, it moved unsafe code from a part of the program that handles urgent signals to a part that can deal with it safely and in a controlled manner.
Offending code with fix in place. Source: upstream: Add a facility to sshd(8) to penalise particular · openssh/openssh-portable@81c1099 · GitHub
Affected Systems
This is not a comprehensive list, so refer to your distribution advisory board.
Amazon Linux 2023: Affected. Amazon Linux 1 & 2: Not affected.
Debian Bookworm (without security updates): Vulnerable
Fedora Versions Red Hat Enterprise Linux (patch released)
Final Thoughts
The CVE-2024-6387 vulnerability is a testament to the evolving nature of cybersecurity. It underscores the importance of vigilance, prompt updates, and clever patching strategies. Stay safe, keep your systems updated, and never underestimate the power of a well-placed #ifdef!
For a comprehensive review of your business’ security, reach out to Achilleus today.
Comments