Critical OpenSSH Vulnerability: CVE-2024-6387 (regreSSHion)

A severe vulnerability in OpenSSH, dubbed "regreSSHion" (CVE-2024-6387), has been discovered by the Qualys Threat Research Unit. This flaw allows for remote unauthenticated code execution on affected systems, posing a significant security risk to millions of servers worldwide

Scope and Impact

1. Versions prior to 4.4p1 are vulnerable if not patched against CVE-2006-5051 or CVE-2008-4109.

2. Versions 8.5p1 through 9.8p1 are vulnerable due to the removal of a crucial safety check.

3. Exploitable on the default configuration

4. Requires no user interaction

5. Allows arbitrary code execution with root privileges

Over 14 million potentially vulnerable OpenSSH instances are directly accessible from the internet, according to searches conducted using Shodan and Censys

Detailed Analysis

The regression was introduced in October 2020 by commit 752250c, which inadvertently removed an #ifdef DO_LOG_SAFE_IN_SIGHAND from the sigdie() function. This removal reintroduced the signal handler race condition, making sshd vulnerable once again. The issue arises from the use of async-signal-unsafe functions like syslog() within the SIGALRM handler.

The use of async-signal-unsafe functions like syslog() within a SIGALRM handler is generally not recommended and can lead to potential issues.

Async-signal-unsafe functions: These are functions that are not safe to call from within a signal handler because they may use or modify global data structures or perform operations that could be interrupted by signals.

SIGALRM handler: This is a signal handler for the SIGALRM signal, which is typically used for timer-based operations.

Problems with using syslog() in a SIGALRM handler: 

• syslog() is not async-signal-safe, meaning it may interact with global data structures.

• It could potentially deadlock or cause race conditions if interrupted by another signal.

• It may lead to undefined behavior in the program.

Exploitation Process

The exploit takes advantage of the following sequence: 

1. An attacker initiates multiple SSH connections to the target server.

2. During the grace period, the attacker sends specific signals to trigger the race condition. 

3. If successful, the attacker can execute arbitrary commands with root privileges.

The exploit involves three key problems:

1. Theoretical: Identifying a code path that, when interrupted, leaves sshd in an exploitable state.

2. Practical: Reaching this code path and maximizing the chances of interrupting it at the right time.

3. Timing: Increasing the likelihood of interruption at the correct moment.
   
   

Researchers tested the exploit on various OpenSSH versions:

• SSH-2.0-OpenSSH_3.4p1: Exploit involves interrupting a call to free() within the public-key parsing code, leading to a remote root shell after approximately 10,000 tries.

• SSH-2.0-OpenSSH_4.2p1: Exploit involves interrupting pam_start(), achieving remote root shell in about 1-2 days.

• SSH-2.0-OpenSSH_9.2p1: Exploit involves interrupting malloc(), achieving remote root shell in about 6-8 hours on average.

Link to the Full POC - regresshion.txt

Affected Systems

The vulnerability primarily affects Linux systems using glibc. Other Unix-like operating systems such as FreeBSD, OpenBSD, and macOS are not vulnerable to this specific exploit

CVE-2024-6387 represents a critical security threat to OpenSSH servers. Organizations should prioritize patching and mitigation efforts to protect their systems from potential exploitation. Regular security assessments and prompt application of security updates remain crucial in maintaining a robust cybersecurity posture.

By staying informed about such vulnerabilities and taking swift action, organizations can significantly reduce their exposure to cyber risks and protect their valuable assets and data.

I will be publishing a detailed POC in some time. Stay Tuned.