## https://sploitus.com/exploit?id=6FD8F914-B663-533D-8866-23313FD37804
# CVE-2024-6387: Race Condition in Signal Handling for OpenSSH
## Overview
**CVE-2024-6387** is a critical vulnerability discovered in OpenSSH's server (`sshd`) that allows an attacker to potentially achieve unauthenticated remote code execution (RCE) as root. The vulnerability arises from a race condition in the signal handling process within `sshd`.
### Discovery and Research
This vulnerability was discovered by Qualys, who noted that successful exploitation has been demonstrated on 32-bit Linux/glibc systems with [address space layout randomization](https://en.wikipedia.org/wiki/Address_space_layout_randomization) (ASLR) enabled. Under controlled conditions, the attack required an average of 6-8 hours of continuous connections, up to the maximum allowed by the server. Exploitation on 64-bit systems is believed to be possible but has not yet been demonstrated. There is a possibility that future attack improvements will make it more feasible on these systems.
### Microsoft Windows Concerns
It is important to note that while Windows typically runs SSH, most desktop versions should not be exposed to the internet in a way that makes them vulnerable. However, server versions accepting incoming requests could be at risk. Microsoft manages SSH updates through regular Windows updates, which currently lag behind the latest OpenSSH versions. For example, Windows systems with all applied updates may be running version `OpenSSH_for_Windows_8.1p1`.
## Vulnerability Details
- **CVE ID:** CVE-2024-6387
- **CVSS v3.1 Score:** 8.1 (High)
- **Impact:** Possible Remote Code Execution Due to a Race Condition in Signal Handling
### Affected Platforms
1. **Vulnerable Versions:**
- OpenSSH versions earlier than `4.4p1` are vulnerable to this race condition unless patched for CVE-2006-5051 and CVE-2008-4109.
- OpenSSH versions `8.5p1` up to, but not including, `9.8p1` are vulnerable due to the accidental removal of a critical component in a function.
2. **Not Vulnerable:**
- OpenSSH versions from `4.4p1` up to, but not including, `8.5p1` are not vulnerable due to a transformative patch for CVE-2006-5051.
- OpenBSD is not vulnerable to this issue.
## Mitigations
To protect against CVE-2024-6387, organizations should implement the following mitigations:
1. **Patch Management:**
- Ensure all Linux systems running OpenSSH, especially those using glibc, are updated to a version that is not vulnerable to this race condition.
2. **Enhanced Access Control:**
- Limit SSH access through network-based controls to reduce the attack surface and minimize the risk of unauthorized exploitation attempts.
3. **Network Segmentation and Intrusion Detection:**
- Implement network segmentation to restrict unauthorized access and lateral movements within critical environments. Deploy intrusion detection systems (IDS) to monitor and alert on unusual activities indicative of exploitation attempts.
## Additional Resources
For organizations using OpenSSH on Windows, SSH management can be configured using Group Policy Objects (GPOs) as detailed in the [Microsoft documentation](https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh-group-policy).
---
**Critical Insight**
July 1, 2024