Key summary

TitleregreSSHion
VendorOpenSSH
Productsshd
Affected Version8.5p1 to 9.7p1
CVE IDCVE-2024-6387
CVSSv38.1
Risk LevelHIGH
Thomas Murray Risk Score9.9

 

Description

CVE-2024-6387, also known as "regreSSHion," is a critical unauthenticated remote code execution (RCE) vulnerability in OpenSSH. This vulnerability allows attackers to execute arbitrary code on affected systems without authentication, posing a significant security risk. The issue stems from a flaw in how OpenSSH handles certain inputs, which can be exploited to gain unauthorised access and potentially control the system.

The LoginGraceTime parameter in OpenSSH specifies the duration for which a client is allowed to authenticate before the server disconnects. By default, it is set to 120 seconds. This triggers the SIGALRM signal, causing sshd's signal handler to execute. However, the signal handler invokes functions such as syslog(), which are not async-signal-safe, leading to potential race conditions. This setting is crucial for mitigating potential brute force attacks by limiting the time window attackers have to attempt authentication. Adjusting LoginGraceTime to a lower value can enhance security by reducing the period an attacker has to exploit vulnerabilities such as CVE-2024-6387.

In summary, this vulnerability could allow attackers to exploit the race condition to cause unexpected behaviour or security issues in the SSH service. 

 

                              POC AvailabilityYes                              
 Exploited in the wildUnknown at this time 
 Zero DayNo 
 Attack VectorVulnerability can be exploited remotely 
 Remote Code ExecutionCode can be executed remotely 

 

 

Remediation

Search for malicious use of OpenSSH:

Identify to see whether OpenSSH has already been exploited

Configure LoginGraceTime:

Reduce the LoginGraceTime to a shorter value (e.g., 30 seconds) to minimise the window of vulnerability.

  • As Sudo, edit: /etc/ssh/sshd_config
  • Add/Edit: LoginGraceTime 0
  • Run: systemctl restart sshd.service

Limit SSH access:

Apply firewall rules to limit SSH access to only necessary IP addresses and networks

Update OpenSSH:

Update OpenSSH: Install the latest version of OpenSSH (9.8 or later) to patch the vulnerability.

 

 

Thomas Murray Insights

At the time of writing this report, there are no known campaigns targeting this vulnerability, however there are a number of proof of concepts (PoC) available.

The "regreSSHion" vulnerability, CVE-2024-6387, is a critical flaw in OpenSSH that allows remote unauthenticated code execution on glibc-based Linux systems, potentially leading to root-level access. This poses a significant security risk as it can result in full system compromise. Organisations must urgently update OpenSSH, enhance monitoring for suspicious activity, and bolster security measures such as firewalls and intrusion detection systems to mitigate this threat. This vulnerability underscores the importance of regular software updates and robust security protocols.

 

 

References

 

 

Need assistance?

Thomas Murray is available to help. Please click on the button below to get in contact.

Contact us

Thomas Murray cyber alerts

Thomas Murray cyber alerts

Subscribe to stay up to date with developing threats in the cyber landscape