Jul 01, 2024 · 4 Min read

CVE-2024-6387

regreSSHion - RCE Vulnerability in OpenSSH Server

Post

DESCRIPTION

CVE-2024-6387, also known as regreSSHion, is a critical vulnerability discovered in the OpenSSH server. This vulnerability allows unauthenticated remote code execution with root privileges on glibc-based Linux systems. The condition arises due to a signal handler race condition in the OpenSSH sshd server process.

OpenSSH is an open-source software widely used to provide secure communication channels over unsecured networks in a client-server architecture. OpenSSH offers secure shell (SSH) services essential for remote server management and secure data communication in various organizations.

This vulnerability was discovered by the cybersecurity research team at Qualys. It is considered a regression of a previously patched vulnerability from 2006 (CVE-2006-5051). This indicates that fixes for old vulnerabilities can re-emerge due to software changes or updates. This regression occurred in OpenSSH release 8.5p1 launched in October 2020 and was inadvertently removed in version 9.8p1.

According to analysis using Shodan and Censys, over 14 million OpenSSH instances directly accessible from the internet may be vulnerable to this exploit. Qualys customer data shows around 700,000 internet-exposed systems appear to be vulnerable.

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AFFECTED SYSTEMS

Affected Versions of OpenSSH

OpenSSH versions 8.5p1 to 9.7p1: These versions are vulnerable to CVE-2024-6387 due to a signal handling race condition that allows unauthenticated remote code execution with root privileges.

OpenSSH versions prior to 4.4p1: These versions are vulnerable to the signal handling race condition unless patched for CVE-2006-5051 and CVE-2008-4109.

glibc-based Linux Systems: All Linux distributions using glibc (GNU C Library) running vulnerable OpenSSH versions are affected, including popular distributions like Ubuntu, Debian, Red Hat Enterprise Linux (RHEL), CentOS, Fedora, SUSE Linux Enterprise Server (SLES), and Arch Linux.

VULNERABILITY IMPACT

• Full System Takeover:

Attackers can gain complete control over the infected system, allowing them to execute malicious code with root privileges.

• Malware Installation:

Attackers can install malware or other malicious software on the infected system, leading to further damage.

• Backdoor Creation:

Attackers can create backdoors on the infected system, allowing unauthorized access in the future.

RECOMMENDATIONS

Immediate Actions to Mitigate CVE-2024-6387

• Update OpenSSH to the Latest Version:

Immediately update OpenSSH to version 9.8p1 or newer, which addresses this vulnerability.

• Apply Temporary Patches:

If a full update cannot be immediately performed, apply temporary patches released by the vendor to reduce the risk.

• Restrict SSH Access:

Limit SSH access to trusted networks only. Use firewalls to restrict SSH access and ensure only authorized IP addresses can access the SSH server.

Disable public SSH access if not necessary to reduce the attack surface.