8.1 CVE-2024-6387

A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.
https://nvd.nist.gov/vuln/detail/CVE-2024-6387

Categories

CWE-362 : Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently. Black box methods may be able to identify evidence of race conditions via methods such as multiple simultaneous connections, which may cause the software to become instable or crash. However, race conditions with very narrow timing windows would not be detectable. Common idioms are detectable in white box analysis, such as time-of-check-time-of-use (TOCTOU) file operations (CWE-367), or double-checked locking (CWE-609). In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance. Use thread-safe capabilities such as the data access abstraction in Spring. When using multithreading and operating on shared variables, only use thread-safe functions. Use atomic operations on shared variables. Be wary of innocent-looking constructs such as "x++". This may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read, followed by a computation, followed by a write. Use a mutex if available, but be sure to avoid related weaknesses such as CWE-412. Avoid double-checked locking (CWE-609) and other implementation errors that arise when trying to avoid the overhead of synchronization. Disable interrupts or signals over critical parts of the code, but also make sure that the code does not go into a large or infinite loop. Use the volatile type modifier for critical variables to avoid unexpected compiler optimization or reordering. This does not necessarily solve the synchronization problem, but it can help. Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. Go application for cloud management creates a world-writable sudoers file that allows local attackers to inject sudo rules and escalate privileges to root by winning a race condition. Chain: improper locking (CWE-667) leads to race condition (CWE-362), as exploited in the wild per CISA KEV. Chain: mobile platform race condition (CWE-362) leading to use-after-free (CWE-416), as exploited in the wild per CISA KEV. Chain: race condition (CWE-362) leads to use-after-free (CWE-416), as exploited in the wild per CISA KEV. chain: JTAG interface is not disabled (CWE-1191) during ROM code execution, introducing a race condition (CWE-362) to extract encryption keys Chain: race condition (CWE-362) in anti-malware product allows deletion of files by creating a junction (CWE-1386) and using hard links during the time window in which a temporary file is created and deleted. TOCTOU in sandbox process allows installation of untrusted browser add-ons by replacing a file after it has been verified, but before it is executed Chain: chipset has a race condition (CWE-362) between when an interrupt handler detects an attempt to write-enable the BIOS (in violation of the lock bit), and when the handler resets the write-enable bit back to 0, allowing attackers to issue BIOS writes during the timing window [REF-1237]. Race condition leading to a crash by calling a hook removal procedure while other activities are occurring at the same time. chain: time-of-check time-of-use (TOCTOU) race condition in program allows bypass of protection mechanism that was designed to prevent symlink attacks. chain: time-of-check time-of-use (TOCTOU) race condition in program allows bypass of protection mechanism that was designed to prevent symlink attacks. Unsynchronized caching operation enables a race condition that causes messages to be sent to a deallocated object. Race condition during initialization triggers a buffer overflow. Daemon crash by quickly performing operations and undoing them, which eventually leads to an operation that does not acquire a lock. chain: race condition triggers NULL pointer dereference Race condition in library function could cause data to be sent to the wrong process. Race condition in file parser leads to heap corruption. chain: race condition allows attacker to access an object while it is still being initialized, causing software to access uninitialized memory. chain: race condition for an argument value, possibly resulting in NULL dereference chain: race condition might allow resource to be released before operating on it, leading to NULL dereference Chain: Signal handler contains too much functionality (CWE-828), introducing a race condition (CWE-362) that leads to a double free (CWE-415).

CWE-364 : Signal Handler Race Condition
The product uses a signal handler that introduces a race condition. Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Design signal handlers to only set flags, rather than perform complex functionality. These flags can then be checked and acted upon within the main program loop. Only use reentrant functions within signal handlers. Also, use validation to ensure that state is consistent while performing asynchronous actions that affect the state of execution. Signal handler does not disable other signal handlers, allowing it to be interrupted, causing other functionality to access files/etc. with raised privileges Attacker can send a signal while another signal handler is already running, leading to crash or execution with root privileges unsafe calls to library functions from signal handler SIGURG can be used to remotely interrupt signal handler; other variants exist SIGCHLD signal to FTP server can cause crash under heavy load while executing non-reentrant functions like malloc/free.

References

CPE

REMEDIATION

EXPLOITS

Exploit-db.com

POC Github

Other Nist (github, ...)

CAPEC

Common Attack Pattern Enumerations and Classifications

Cybersecurity needs ?

Strengthen software security from the outset with our DevSecOps expertise

Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.

Discover this offer

Soutenez No Hack Me sur Tipeee