CVE-2024-6409
Published: 08 July 2024
Summary
CVE-2024-6409 is a high-severity Signal Handler Race Condition (CWE-364) vulnerability in Almalinux (inferred from references). Its CVSS base score is 7.0 (High).
Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A race condition vulnerability exists in OpenSSH's server component sshd, tracked as CVE-2024-6409. When a client fails to authenticate within a configured time window, the SIGALRM handler executes asynchronously and invokes functions such as syslog() that are not async-signal-safe, creating conditions that can corrupt process state.
An unauthenticated remote attacker can trigger the flaw by simply withholding authentication long enough to fire the alarm. In the worst case this leads to remote code execution with the privileges of the unprivileged user under which sshd runs, although successful exploitation requires winning a narrow timing window reflected in the CVSS attack-complexity rating of high.
Multiple Red Hat advisories (RHSA-2024:4457, RHSA-2024:4613, RHSA-2024:4716, RHSA-2024:4910, RHSA-2024:4955) address the issue through updated OpenSSH packages; administrators should apply the relevant errata for their distributions to eliminate the unsafe signal handling.
The EPSS score currently sits at 0.7640 with a recorded peak of 0.7673, indicating sustained but not sharply increasing public interest in exploitation since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-47983
Vulnerability details
A race condition vulnerability was discovered in how signals are handled by OpenSSH's server (sshd). If a remote attacker does not authenticate within a set time period, then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various…
more
functions that are not async-signal-safe, for example, syslog(). As a consequence of a successful attack, in the worst case scenario, an attacker may be able to perform a remote code execution (RCE) as an unprivileged user running the sshd server.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.