A second remote code execution vulnerability was found recently in OpenSSH during an analysis of the flaw tracked as CVE-2024-6387 and named regreSSHion.
The regreSSHion bug, discovered by researchers at cybersecurity firm Qualys, was believed to potentially impact millions of OpenSSH servers when it was disclosed.
The second OpenSSH issue was discovered by Openwall founder Alexander Peslyak, aka Solar Designer.
Peslyak revealed last week on the Openwall mailing list that he discovered an issue related to CVE-2024-6387, which he described as a race condition in signal handling involving the ‘privsep’ child process.
Similar to regreSSHion, the new flaw, tracked as CVE-2024-6409, could allow remote code execution.
“The main difference from CVE-2024-6387 is that the race condition and RCE potential are triggered in the privsep child process, which runs with reduced privileges compared to the parent server process. So immediate impact is lower,” Peslyak explained.
“However, there may be differences in exploitability of these vulnerabilities in a particular scenario, which could make either one of these a more attractive choice for an attacker, and if only one of these is fixed or mitigated then the other becomes more relevant,” Peslyak added. “It may also be possible to construct an exploit that would work against either vulnerability probabilistically, which could decrease attack duration or increase success rate. That said, actual exploitation of CVE-2024-6409 has not yet been attempted and thus has not been proven.”
Impacted Linux distributions have started releasing advisories and patches for CVE-2024-6409.
In the case of regreSSHion, some potential exploitation attempts have been seen in the wild, but experts believe mass attacks are unlikely. Qualys and others pointed out that exploitation of the flaw is not an easy task.
When regreSSHion was disclosed, Qualys noted that it had been unclear whether Windows and macOS systems are impacted.
Microsoft confirmed last week that Windows is not affected by the vulnerability.
“Although Windows contains an OpenSSH component, the vulnerable code cannot be exploited or controlled by an adversary,” Microsoft explained in its advisory.
Based on discussions on Apple forums, macOS is also believed not to be impacted by the vulnerability, at least in most cases. Apple has yet to issue an official statement on the matter.
Related: Critical CocoaPods Flaws Exposed Many iOS, macOS Apps to Supply Chain Attacks
Related: GitLab Security Updates Patch 14 Vulnerabilities
Related: Ransomware Group Exploits PHP Vulnerability Days After Disclosure