关联漏洞
标题:
OpenSSH 安全漏洞
(CVE-2024-6387)
描述:OpenSSH(OpenBSD Secure Shell)是加拿大OpenBSD计划组的一套用于安全访问远程计算机的连接工具。该工具是SSH协议的开源实现,支持对所有的传输进行加密,可有效阻止窃听、连接劫持以及其他网络级的攻击。 OpenSSH 存在安全漏洞,该漏洞源于信号处理程序中存在竞争条件,攻击者利用该漏洞可以在无需认证的情况下远程执行任意代码并获得系统控制权。
介绍
# CVE-2024-6387: Race Condition in Signal Handling for OpenSSH
## Overview
**CVE-2024-6387** is a critical vulnerability discovered in OpenSSH's server (`sshd`) that allows an attacker to potentially achieve unauthenticated remote code execution (RCE) as root. The vulnerability arises from a race condition in the signal handling process within `sshd`.
### Discovery and Research
This vulnerability was discovered by Qualys, who noted that successful exploitation has been demonstrated on 32-bit Linux/glibc systems with [address space layout randomization](https://en.wikipedia.org/wiki/Address_space_layout_randomization) (ASLR) enabled. Under controlled conditions, the attack required an average of 6-8 hours of continuous connections, up to the maximum allowed by the server. Exploitation on 64-bit systems is believed to be possible but has not yet been demonstrated. There is a possibility that future attack improvements will make it more feasible on these systems.
### Microsoft Windows Concerns
It is important to note that while Windows typically runs SSH, most desktop versions should not be exposed to the internet in a way that makes them vulnerable. However, server versions accepting incoming requests could be at risk. Microsoft manages SSH updates through regular Windows updates, which currently lag behind the latest OpenSSH versions. For example, Windows systems with all applied updates may be running version `OpenSSH_for_Windows_8.1p1`.
## Vulnerability Details
- **CVE ID:** CVE-2024-6387
- **CVSS v3.1 Score:** 8.1 (High)
- **Impact:** Possible Remote Code Execution Due to a Race Condition in Signal Handling
### Affected Platforms
1. **Vulnerable Versions:**
- OpenSSH versions earlier than `4.4p1` are vulnerable to this race condition unless patched for CVE-2006-5051 and CVE-2008-4109.
- OpenSSH versions `8.5p1` up to, but not including, `9.8p1` are vulnerable due to the accidental removal of a critical component in a function.
2. **Not Vulnerable:**
- OpenSSH versions from `4.4p1` up to, but not including, `8.5p1` are not vulnerable due to a transformative patch for CVE-2006-5051.
- OpenBSD is not vulnerable to this issue.
## Mitigations
To protect against CVE-2024-6387, organizations should implement the following mitigations:
1. **Patch Management:**
- Ensure all Linux systems running OpenSSH, especially those using glibc, are updated to a version that is not vulnerable to this race condition.
2. **Enhanced Access Control:**
- Limit SSH access through network-based controls to reduce the attack surface and minimize the risk of unauthorized exploitation attempts.
3. **Network Segmentation and Intrusion Detection:**
- Implement network segmentation to restrict unauthorized access and lateral movements within critical environments. Deploy intrusion detection systems (IDS) to monitor and alert on unusual activities indicative of exploitation attempts.
## Additional Resources
For organizations using OpenSSH on Windows, SSH management can be configured using Group Policy Objects (GPOs) as detailed in the [Microsoft documentation](https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh-group-policy).
---
**Critical Insight**
July 1, 2024
文件快照
[4.0K] /data/pocs/baecd2f2db8ec00f85caf08be816b10d86d41983
├── [1.5K] detection-script.py
├── [1.0K] LICENSE
└── [3.2K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。