Qualys published a blog posts with details regarding a critical remote code execution vulnerability.
The CVEs associated with this vulnerability are CVE-2006-5051 and CVE-2024-6387, The reason for the two CVE numbers and the use of the old 2006 CVE number is that this is a regression.
Sadly, this happens somewhat regularly if developers do not add tests to ensure the vulnerability is patched in future versions.
Missing comments are another reason for these regressions.
A developer may remove a test they consider unnecessary.
The vulnerability does allow arbitrary remote code execution without authentication.
OpenSSH versions up to 4.4p1 are vulnerable to CVE-2006-5051.
OpenSSH versions from 8.5p1 to 9.8p1 Remember that many Linux distributions will not increase version numbers if they are backporting a patch.
This is a timing issue, and exploitation is not easily reproducible but takes about 10,000 attempts on x86.
This speed of exploitation is limited by the MaxStartups and LoginGraceTime.
Exploitation for AMD64 appears to be not practical at this time.
Most Linux systems are currently running on 64-bit architectures.
This could be a big deal for legacy systems / IoT systems in particular if no more patches are available.
Limiting the rate of new connections using a network firewall may make exploitation less likely in these cases.
If no patch is available, port knocking, moving the server to an odd port or allowlisting specific IPs may be an option.
This Cyber News was published on isc.sans.edu. Publication date: Mon, 01 Jul 2024 17:13:05 +0000