CVE-2024-6409: RHEL 9, Fedora Linux Users Exposed to Code Execution Risk
Cybersecurity experts have discovered a new vulnerability in OpenSSH packages included in Red Hat Enterprise Linux 9 (RHEL 9). This issue, designated CVE-2024-6409, differs from the previously identified “regreSSHion” and allows attackers to execute code on a remote server without authentication. The vulnerability also affects packages for Fedora Linux 36 and 37.
The vulnerability is linked to a race condition in the SIGALRM interrupt handler, arising from the execution of functions not designed for asynchronous operation within signal handlers. The handler is triggered by a timeout defined by the LoginGraceTime parameter, causing the current code execution to be interrupted. Calling functions like syslog(), which employ dynamic memory allocation, can corrupt malloc’s internal structures when SIGALRM is triggered.
CVE-2024-6409 is closely related to the invocation of the cleanup_exit() function in the grace_alarm_handler() signal handler. In the main OpenSSH codebase, this call does not cause issues, but a patch added in RHEL 9 and Fedora packages introduces a call to an auditing event generation function within cleanup_exit(). This function is not designed for use in signal handlers.
The patch leading to the vulnerability was applied in RHEL 9 and derivative distributions based on OpenSSH 8.7p1. In the latest Fedora versions, the issue does not manifest because, starting with Fedora 38, a newer OpenSSH version is used, where the cleanup_exit() function remains unchanged.
To mitigate the vulnerability, it is recommended to set the LoginGraceTime parameter to 0 in the sshd configuration (sshd_config). This method neutralizes the vulnerability, even though standard protection measures, such as using the “-e” option to disable syslog logging, are ineffective.
This incident illustrates that even well-intentioned software fixes can lead to unforeseen security consequences in other system components. It underscores the importance of thorough testing for any modifications, especially in critical OS components. Maintaining a balance between specific requirements and overall security remains a challenging but essential task in the realm of information technology.
