cbcvebase.
CVE-2024-6409
published 2024-07-08

CVE-2024-6409: A race condition vulnerability was discovered in how signals are handled by OpenSSH's server (sshd). If a remote attacker does not authenticate within a set…

PriorityP181high7CVSS 3.1
AVNACHPRNUINSUCLILAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
27.93%
97.9th percentile
A race condition vulnerability was discovered in how signals are handled by OpenSSH's server (sshd). If a remote attacker does not authenticate within a set time period, then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). As a consequence of a successful attack, in the worst case scenario, an attacker may be able to perform a remote code execution (RCE) as an unprivileged user running the sshd server.

Affected

2 ranges
VendorProductVersion rangeFixed in
debianopenssh
paloaltopan-os

Detection & IOCsextracted from sources · hover to see the quote

  • Detect multiple SSH connection attempts indicative of race condition exploitation (thousands of connections needed to trigger SIGALRM race condition)
  • Detect SSH server traffic patterns associated with CVE-2024-6409/CVE-2024-6387 exploitation attempts
  • Monitor for fake/malicious PoC archives circulating on social media that modify system files and retrieve payloads from remote servers — researchers testing CVE-2024-6387 PoCs may have security features disabled
  • CVE-2024-6409 race condition triggers in cleanup_exit() called from grace_alarm_handler() in the privsep child process — monitor for abnormal sshd child process termination patterns
  • Exploitation requires repeated LoginGraceTime expiry cycles — monitor for high volumes of SSH connections that each time out without authenticating within the grace period
  • ·Setting LoginGraceTime to 0 mitigates both CVE-2024-6387 and CVE-2024-6409 but may introduce denial-of-service risks
  • ·Affected OpenSSH versions are up to 4.4p1 and 8.5p1 through 9.7p1 on Linux/glibc systems; exploitation on 64-bit systems is significantly harder due to ASLR entropy

CVSS provenance

nvdv3.17.0HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
vulncheck7.0HIGH
vendor_redhat8.1HIGH
vendor_debian7.0LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.