Linux

High-Severity SMB Server Flaws (CVE-2024-56626 & CVE-2024-56627) in Linux Kernel

High-Severity SMB Server Flaws (CVE-2024-56626 & CVE-2024-56627) in Linux Kernel

Jordy Zomer, a Security researcher have recently discovered two critical vulnerabilities in KSMBD, the in-kernel SMB server for Linux. These vulnerabilities, CVE-2024-56626 and CVE-2024-56627, could allow attackers to gain control of vulnerable systems.

SUMMARY

OEM	Linux
Severity	High
CVSS	7.8
CVEs	CVE-2024-56626, CVE-2024-56627
Exploited in Wild	No
Publicly POC Available	Yes
Patch/Remediation Available	Yes
Advisory Version	1.0

These vulnerabilities affect Linux kernel versions greater than 5.15 and have been addressed in version 6.13-rc2. Proof-of-concept (PoC) exploits have been publicly released, emphasizing the critical nature of these issues.

Vulnerability Name	CVE ID	Product Affected	Severity	Affected Version
Out-of-bounds write vulnerability in ksmbd.	CVE-2024-56626	Linux	High	Linux kernel versions greater than 5.15
Out-of-bounds read vulnerability in ksmbd.	CVE-2024-56627	Linux	High	Linux kernel versions greater than 5.15

Technical Summary

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2024-56626	Linux Kernel	A vulnerability in ksmbd’s ksmbd_vfs_stream_write allowed negative offsets from clients, causing out-of-bounds writes and potential memory corruption. It was triggered when using vfs objects = streams_xattr in ksmbd.conf. The issue has been fixed in recent kernel updates.	Attackers can execute arbitrary code with kernel privileges
CVE-2024-56627	Linux Kernel	A vulnerability in ksmbd’s ksmbd_vfs_stream_write allowed negative client offsets, enabling out-of-bounds writes and potential memory corruption. This issue occurred when the vfs objects = streams_xattr parameter was set in ksmbd.conf and has been resolved in recent kernel updates.	Attackers can read sensitive kernel memory, leading to information disclosure

Remediation:

Update: Ensure that the appropriate patches or updates are applied to the relevant versions

listed below

Version	Fixes and Releases
kernel version > 5.15	kernel version 6.13-rc2

Conclusion:

The discovery of CVE-2024-56626 and CVE-2024-56627 highlights critical security flaws in the Linux kernel’s SMB server implementation. Given the availability of proof-of-concept exploits, immediate action is essential to protect systems from potential exploitation. Regularly updating systems and applying security patches are vital practices to maintain a secure environment.

References:

https://github.com/google/security-research/security/advisories/GHSA-qmm2-xfcw-4r29

https://github.com/google/security-research/security/advisories/GHSA-gqrv-6fcf-hvv8

https://securityonline.info/cve-2024-56626-cve-2024-56627-critical-linux-kernel-smb-server-bugs-uncovered-poc-published/

Race Condition Vulnerability in OpenSSH (CVE-2024-6387): PoC Exploit Released

Race Condition Vulnerability in OpenSSH (CVE-2024-6387): PoC Exploit Released

OpenSSH is a suite of networking utilities based on the Secure Shell (SSH) protocol. It is extensively used for secure remote login, remote server management and administration, and file transfers via SCP and SFTP. OpenSSH server process ‘sshd’ is affected by a signal handler race condition allowing unauthenticated remote code execution with root privileges on glibc-based Linux systems.

Summary

Application	OpenSSH
Severity	High
CVSS	8.1
CVEs	CVE-2024-6387
Exploited in Wild	Yes
Patch/Remediation Available	Yes
Advisory Version	1.0

Overview

CVE-2024-6387, a high-severity vulnerability in OpenSSH’s server (sshd), has been identified and is currently being exploited in the wild. Known as “regreSSHion,” this flaw involves a sophisticated race condition during the authentication phase, allowing unauthenticated remote attackers to execute arbitrary code with root privileges.

A proof-of-concept (PoC) exploit for this critical vulnerability has been released, further raising concerns.

The vulnerability affects millions of OpenSSH servers globally, with older versions particularly at risk. Rated with a CVSS score of 8.1, the flaw poses a significant security threat. Over 14 million OpenSSH server instances exposed to the Internet have been identified as potentially vulnerable, with around 700,000 instances facing external internet threats.

Vulnerability Name	CVE ID	Product Affected	Severity	Fixed Version
Race Condition vulnerability	CVE-2024-6387	OpenSSH (8.5p1–9.8p1)	High	OpenSSH 9.8p2 or later

Technical Summary

CVE-2024-6387, also known as “regreSSHion,” is a critical vulnerability in OpenSSH’s server (sshd) caused by a signal handler race condition. This issue arises when the SIGALRM handler, triggered during a failed login attempt exceeding LoginGraceTime, invokes non-async-signal-safe functions like syslog(). The Vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privileges, primarily affecting glibc-based Linux systems.

Exploitation is technically complex but feasible and has been demonstrated in controlled environments on 32-bit systems. OpenBSD systems are unaffected due to their different signal-handling mechanisms.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2024-6387	OpenSSH v8.5p1 through 9.8p1 on glibc-based Linux systems	Signal handler race condition in sshd’s SIGALRM, triggered during login timeout (LoginGraceTime).	Remote Code Execution (Root Privileges)

Impact:

This Vulnerability if exploited could lead to complete system takeover.

Remediation:

Immediate Patch: Upgrade OpenSSH to version 9.8p2 or later, which resolves the issue.

Access Restrictions: Implement firewall rules or TCP wrappers to limit SSH access to trusted IP ranges.

Monitor Activity: Use intrusion detection systems (IDS) to analyze logs for unusual activity, failed login attempts, or exploitation patterns.

Indicators of Compromise (IOCs):

IP Address / Hostname	File Hash
209.141.53[.]247	0df799f05c6d97e2b7d4b26c8e7246f7
108.174.58[.]28	11cc5f00b466d4f9be4e0a46f2eb51ae
195.85.205[.]47	1f452448cea986aedc88ba50d48691f7
62.72.191[.]203	207eb58423234306edaecb3ec89935d8
botbot.ddosvps.cc

Below are some IOCs associated with the threat. For a complete list of IOCs, refer to the AlienVault Pulse for CVE-2024-6387

Conclusion:

The public release of a PoC exploit for CVE-2024-6387 marks a critical moment for organizations relying on OpenSSH. While exploitation requires significant effort, the potential impact of a successful attack—complete system compromise and privilege escalation—is severe.

Swift patching and the adoption of layered security measures are imperative to mitigate the risks.

Organizations must act promptly to safeguard their systems and monitor for signs of active exploitation. By staying informed and proactive, businesses can minimize the potential fallout from this serious vulnerability.

References:

https://cybersecuritynews.com/regresshion-code-execution-vulnerability/

https://exploitfinder.com/dbexploit/exploit.html?id=CVE-2024-6387&type=GitAI&returnTab=github-ai

https://nvd.nist.gov/vuln/detail/cve-2024-6387
https://www.yorku.ca/uit/2025/01/openssh-remote-code-execution-regresshion-cve-2024-6387/

LogoFAIL Exploited to Deploy Bootkitty, the first UEFI bootkit for Linux

Researchers have uncovered the first UEFI bootkit designed specifically for Linux systems, named Bootkitty.

High-Severity SMB Server Flaws (CVE-2024-56626 & CVE-2024-56627) in Linux Kernel

Technical Summary

Remediation:

Conclusion:

References:

Race Condition Vulnerability in OpenSSH (CVE-2024-6387): PoC Exploit Released

LogoFAIL Exploited to Deploy Bootkitty, the first UEFI bootkit for Linux

Recent Posts

Recent Comments

Search

Recent Comments

Recent Posts

Archives