The Qualys Threat Research Unit (TRU) discovered an  unauthenticated Remote Code Execution (RCE) vulnerability in OpenSSH’s server (sshd) in glibc-based Linux systems that grants full root access. It affects the default configuration and does not require user interaction.This vulnerability is a regression of the previously patched vulnerability CVE-2006-5051, reported in 2006. Qualys Threat Researchers says that it presents a high exploit risk with a CVSS score of 8.1

_____________________________

A. Nature of the Vulnerability

A signal handler race condition was found in OpenSSH’s server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd’s SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog().

_____________________________

B. Affected Versions

• OpenSSH versions earlier than 4.4p1 are vulnerable to this signal handler race condition unless they are patched for CVE-2006-5051 and CVE-2008-4109.
• Versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable due to a transformative patch for CVE-2006-5051, which made a previously unsafe function secure.
• The vulnerability resurfaces in versions from 8.5p1 up to, but not including, 9.8p1 due to the accidental removal of a critical component in a function.

_____________________________

C. Actions to be Taken

CERT-PH recommends the following actions be taken:

• Kindly review and apply the necessary updates/workaround to mitigate future threats.
• For additional information, kindly refer to the official report.
  • https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server
  • https://www.qualys.com/regresshion-cve-2024-6387/
  • https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6387