In the process of studying the critical vulnerability in Openssh, researchers have discovered another similar vulnerability (CVE-2024-6409), which allows remote code execution without authentication. The new vulnerability is less dangerous than the previous one, as it occurs after privileges are dropped in the subsidiary launched by the SSH server. This vulnerability is present in Openssh packages from Red Hat Enterprise Linux 9, Fedora Linux 36, and 37.
The essence of the vulnerability is similar to the previous problem, caused by a race condition in the Sigalrm interrupt handler, resulting from the execution of functions not designed to be called asynchronously from signal handlers. The handler triggers when the Logingracetime parameter’s time occurs, interrupting the current code execution. The use of asynchronous execution of functions with dynamic memory usage can lead to damage to internal Malloc structures when sigalrm is triggered during certain code execution.
The new vulnerability is characterized by the race condition occurring due to the call to CLEANUP_Exit() function in the Grace_ALARM_HANDLER() signal processor. A Patch has been added to Cleanup_Exit() in the packages for Rhel 9 and Fedora, which includes a call to generate audit events on signal usage in handlers.
This patch was implemented in RHEL 9 and its derivatives based on Openssh 8.7p1. In current releases of Fedora, the issue does not arise as the distribution has switched to a newer version of Openssh without changing Cleanup_Exit(). Unlike the previous vulnerability, the bypass method of protection using SSHD “-e” is not effective in blocking the new vulnerability which disables log output through Syslog. However, to mitigate the vulnerability in SSHD_Config, setting the parameter “LogingRacetime = 0” can be effective.