Further analysis of the OpenSSH regreSSHion vulnerability, tracked as CVE-2024-6387, has led to the identification of a related bug, tracked as CVE-2024-6409, SecurityWeek reports.
Despite being both remote code execution and race condition flaws, CVE-2024-6409 poses a "lower" immediate impact due to the issues being present in the privsep child process with fewer privileges, according to Openwall founder Alexander Peslyak, also known as Solar Designer, who discovered and reported the vulnerability. However, Peslyak noted that variations in exploitability and potential lack of remediations may make one more prevalent over the other. "It may also be possible to construct an exploit that would work against either vulnerability probabilistically, which could decrease attack duration or increase success rate. That said, actual exploitation of CVE-2024-6409 has not yet been attempted and thus has not been proven," said Peslyak. Such a development comes as Microsoft confirmed that Windows has not been impacted by the regreSSHion flaw.
