CVE-2024-6409: New Remote Code Execution Vulnerability in OpenSSH
A newly discovered vulnerability in OpenSSH, tracked as CVE-2024-6409, has been found to expose systems to potential remote code execution (RCE) due to a race condition in signal handling. This security flaw, with a CVSS score of 7.0, has the potential to allow remote code execution (RCE) due to a race condition in signal handling within the privileged separation (privsep) child process.
The vulnerability affects OpenSSH versions 8.7 and 8.8, including their corresponding portable releases. The root cause lies in the call to cleanup_exit() from grace_alarm_handler() when operating in the privsep child process. Normally, cleanup_exit() should not be invoked from a signal handler as it may trigger other functions that are unsafe to call asynchronously. Although upstream versions of OpenSSH ensure that cleanup_exit() does not invoke these unsafe functions, downstream patches, particularly in Red Hat’s OpenSSH package, introduce this risk.
Specifically, the issue arises in the openssh-7.6p1-audit.patch found in Red Hat Enterprise Linux (RHEL) 9 and its derivatives. This patch is based on OpenSSH 8.7p1. Similarly, Fedora versions 36 and 37, which include packages based on OpenSSH 8.7p1 and 8.8p1, are also vulnerable. However, Fedora 38 and later versions have moved to newer OpenSSH releases that do not contain the problematic cleanup_exit() call.
While the immediate impact is considered lower than the previously disclosed CVE-2024-6387 due to the vulnerability being triggered in a lower-privileged child process, the potential for exploitation remains a serious concern. Attackers could leverage this flaw to gain unauthorized access or compromise system integrity.
Although the exploitation of CVE-2024-6409 hasn’t been confirmed yet, the vulnerability shares similarities with CVE-2024-6387, making it a potential target for malicious actors. Notably, the “-e” mitigation that protected against CVE-2024-6387 is not fully effective against CVE-2024-6409.
Administrators running affected versions of OpenSSH, particularly on systems using RHEL 9 and older Fedora releases, should prioritize updating to the latest versions. It is critical to apply all recommended mitigations to reduce the risk of exploitation. Additionally, setting the “LoginGraceTime 0” configuration option can mitigate both CVE-2024-6409 and CVE-2024-6387 effectively.
