July 10, 2024 at 12:15AM
Versions of OpenSSH are at risk due to a new CVE-2024-6409 vulnerability, impacting Red Hat Enterprise Linux 9 versions 8.7p1 and 8.8p1. Discovered by Solar Designer during a review of CVE-2024-6387 by Qualys, this flaw enables remote code execution in the privsep child process. An active exploit for CVE-2024-6387 has been detected in China.
From the meeting notes, the key takeaways are:
1. A new vulnerability, tracked as CVE-2024-6409, has been identified in select versions of the OpenSSH secure networking suite, specifically impacting versions 8.7p1 and 8.8p1 shipped with Red Hat Enterprise Linux 9. The vulnerability has a CVSS score of 7.0 and can trigger remote code execution (RCE).
2. The vulnerability was discovered by security researcher Alexander Peslyak (Solar Designer), and it is distinct from the previously identified CVE-2024-6387 (RegreSSHion). Peslyak highlighted that the immediate impact of CVE-2024-6409 is lower due to its occurrence in the privsep child process with reduced privileges compared to the parent server process.
3. There is a critical signal handler race condition vulnerability present in both CVE-2024-6387 and CVE-2024-6409, leaving OpenSSH daemon processes vulnerable to RCE within unprivileged user running the sshd server.
4. An active exploit for CVE-2024-6387 has been detected in the wild, with an unknown threat actor targeting servers primarily located in China. The initial vector of this attack originates from the IP address 108.174.58[.]28, which was reported to host a directory listing exploit tools and scripts for automating the exploitation of vulnerable SSH servers.
It’s important to note that the organization needs to take immediate action to address these vulnerabilities in their OpenSSH implementations to prevent potential exploitation.