Key summary
Title | regreSSHion |
Vendor | OpenSSH |
Product | sshd |
Affected Version | 8.5p1 to 9.7p1 |
CVE ID | CVE-2024-6387 |
CVSSv3 | 8.1 |
Risk Level | HIGH |
Thomas Murray Risk Score | 9.9 |
Description
CVE-2024-6387, also known as "regreSSHion," is a critical unauthenticated remote code execution (RCE) vulnerability in OpenSSH. This vulnerability allows attackers to execute arbitrary code on affected systems without authentication, posing a significant security risk. The issue stems from a flaw in how OpenSSH handles certain inputs, which can be exploited to gain unauthorised access and potentially control the system.
The LoginGraceTime parameter in OpenSSH specifies the duration for which a client is allowed to authenticate before the server disconnects. By default, it is set to 120 seconds. This triggers the SIGALRM signal, causing sshd's signal handler to execute. However, the signal handler invokes functions such as syslog(), which are not async-signal-safe, leading to potential race conditions. This setting is crucial for mitigating potential brute force attacks by limiting the time window attackers have to attempt authentication. Adjusting LoginGraceTime to a lower value can enhance security by reducing the period an attacker has to exploit vulnerabilities such as CVE-2024-6387.
In summary, this vulnerability could allow attackers to exploit the race condition to cause unexpected behaviour or security issues in the SSH service.
POC Availability | Yes | ||
Exploited in the wild | Unknown at this time | ||
Zero Day | No | ||
Attack Vector | Vulnerability can be exploited remotely | ||
Remote Code Execution | Code can be executed remotely |
Remediation
Search for malicious use of OpenSSH:
Identify to see whether OpenSSH has already been exploited
Configure LoginGraceTime:
Reduce the LoginGraceTime to a shorter value (e.g., 30 seconds) to minimise the window of vulnerability.
- As Sudo, edit: /etc/ssh/sshd_config
- Add/Edit: LoginGraceTime 0
- Run: systemctl restart sshd.service
Limit SSH access:
Apply firewall rules to limit SSH access to only necessary IP addresses and networks
Update OpenSSH:
Update OpenSSH: Install the latest version of OpenSSH (9.8 or later) to patch the vulnerability.
Thomas Murray Insights
At the time of writing this report, there are no known campaigns targeting this vulnerability, however there are a number of proof of concepts (PoC) available.
The "regreSSHion" vulnerability, CVE-2024-6387, is a critical flaw in OpenSSH that allows remote unauthenticated code execution on glibc-based Linux systems, potentially leading to root-level access. This poses a significant security risk as it can result in full system compromise. Organisations must urgently update OpenSSH, enhance monitoring for suspicious activity, and bolster security measures such as firewalls and intrusion detection systems to mitigate this threat. This vulnerability underscores the importance of regular software updates and robust security protocols.
References
- https://nvd.nist.gov/vuln/detail/CVE-2024-6387
- https://www.splunk.com/en_us/blog/security/cve-2024-6387-regresshion-vulnerability.html
- https://www.openssh.com/txt/release-9.8
Need assistance?
Thomas Murray is available to help. Please click on the button below to get in contact.
Thomas Murray cyber alerts
Subscribe to stay up to date with developing threats in the cyber landscape
Insights
Thomas Murray Partners with Socura to offer Managed Detection and Response to clients that need support to stop cyber threats 24/7.
The collaboration will see Thomas Murray offer Socura MDR to help its clients proactively identify and respond to threats.
Thomas Murray and Crimson7 Announce Strategic Partnership to Modernise Threat Informed Security
Thomas Murray and Crimson7 are partnering to combine their expertise and create innovative solutions for tackling key cyber security challenges.
Thomas Murray and askblue partner to support financial institutions in meeting the Digital Operational Resilience Act (DORA) requirements
Thomas Murray and askblue are collaborating to provide services that help financial institutions comply with DORA requirements.
Threat Intelligence for Law Firms: Protecting clients in the digital age
As a law firm, protecting your clients' data and reputation is more critical than ever in today’s digital-first world.