My usual morning scroll through twitter and my intel feeds, was a little more interesting than normal today. An RCE in SSH named "regreSSHion", was plastered all over my timeline but I've seen some debate on whether it's actually exploitable. Come along with me as I try to understand what's actually going on here.
NVD describes this vuln (CVE-2024-6387) as "A signal handler race condition... where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously. However this signal handler calls various functions that are not all async-signal-safe, for example syslog()." That's a whole wall of some pretty technical language so let's break it down into semi-plain english and see if that clarifies things some.
1. What is a Signal Handler? According to Wikipedia: "In the C Standard Library, signal processing defines how a program handles various signals while it executes." Well that doesn't help much if we don't exactly know what a signal is. I'm familiar with the concept but not very deeply.
2. What is a Signal? Once again relying on Wikipedia: "Signals are standardized messages sent to a running program to trigger specific behavior, such as quitting or error handling. They are a limited form of inter-process communication (IPC)." Got it, messages that are used to communicate with a program or thread. Meaning signal handlers quite obviously tell the application how to handle the signals it receives.
3. What is a race condition? These have always been slightly tricky to me and only recently did I fully grasp the concept. Basically a race condition happens when memory that is supposed to be changed sequentially for a function to occur is edited out of order, causing unexpected behavior.
4. What does the LoginGraceTime parameter do? Well according to a blog post I found "The LoginGraceTime parameter specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist."
5. Putting it all together: There is a vulnerability in OpenSSH which allows for memory to be used out of sync if authentication takes longer than 120 seconds (the default LoginGraceTime). When this happens the SIGALRM (signal alarm) is called, which then calls functions that are not safe for async-signal usage such as malloc(). If one of these unsafe functions are called it can lead to heap corruption, which could allow for RCE.
So can it be exploited in the wild? Yes and no, so far it appears that only 32-bit Linux hosts are proven exploitable, and with that each attempt takes 6-8 hours. Attacks against 64-bit systems are theoretical. I'll return to this vuln if those theories are proven true, but currently the attack surface is fairly low. I shouldn't have to tell you but: always patch your shit. As always, "You may stop this individual, but you can't stop us all... after all, we're all alike." Voodoo, over and out.