Executive Summary
A new security vulnerability has been discovered in OpenSSH’s server (sshd); a common software used on Linux systems for secure communication. This issue is specific to Red Hat Enterprise Linux (RHEL) 9 and does not affect RHEL 8. The vulnerability could potentially allow attackers to crash the server or, in more severe cases, execute remote commands, although such scenarios are complex and difficult to achieve. Immediate action is advised to either patch or modify system settings to reduce the risk of exploitation.
For customers using ITC’s MXDR-VI service, ITC has carried out checks to identify any affected systems and will be in contact with you should any vulnerabilities be found.
Scope of the Attack
- Affected systems: The vulnerability specifically affects Red Hat Enterprise Linux (RHEL) 9, as it includes the problematic OpenSSH code. OpenSSH versions earlier than 4.4p1 are vulnerable to this signal handler race condition unless they are patched for CVE-2006-5051 and CVE-2008-4109.
- Unaffected systems: OpenSSH versions in RHEL 8 are not affected because the vulnerable code is absent in these versions.
Nature of the Compromise
- Type of vulnerability: The flaw is a signal handler race condition in OpenSSH’s server (sshd), triggered when a client fails to authenticate within a specified time (LoginGraceTime).
- Mechanism: The vulnerability occurs when sshd’s SIGALRM handler is called asynchronously, leading to calls to functions like syslog() which are not async-signal-safe.
- Potential impact: If exploited, the primary risk is remote code execution. However, due to the complexity, a more probable result is the crashing of the sshd server, causing a denial of service (DoS).
Risk Assessment
- Severity: Rated as Important by Red Hat.
- Exploitation complexity: High; requires winning a race condition which is complex and time-consuming.
- Impact likelihood: More likely to cause a server crash rather than remote code execution.
Precautionary Measures
- Patch OpenSSH to a secure version.
- Follow the below mitigation steps (optional):
- Edit configuration: Open /etc/ssh/sshd_config as the root user.
- Set parameter: Add or modify LoginGraceTime to 0.
- Save and restart: Save the file and restart the sshd service using systemctl restart sshd.service.
Residual risks: Setting LoginGraceTime to 0 will protect against remote code execution but leaves the server susceptible to DoS attacks due to connection exhaustion.
