Key summary
Title | regreSSHion |
Vendor | OpenSSH |
Product | sshd |
Affected Version | 8.5p1 to 9.7p1 |
CVE ID | CVE-2024-6387 |
CVSSv3 | 8.1 |
Risk Level | HIGH |
Thomas Murray Risk Score | 9.9 |
Description
CVE-2024-6387, also known as "regreSSHion," is a critical unauthenticated remote code execution (RCE) vulnerability in OpenSSH. This vulnerability allows attackers to execute arbitrary code on affected systems without authentication, posing a significant security risk. The issue stems from a flaw in how OpenSSH handles certain inputs, which can be exploited to gain unauthorised access and potentially control the system.
The LoginGraceTime parameter in OpenSSH specifies the duration for which a client is allowed to authenticate before the server disconnects. By default, it is set to 120 seconds. This triggers the SIGALRM signal, causing sshd's signal handler to execute. However, the signal handler invokes functions such as syslog(), which are not async-signal-safe, leading to potential race conditions. This setting is crucial for mitigating potential brute force attacks by limiting the time window attackers have to attempt authentication. Adjusting LoginGraceTime to a lower value can enhance security by reducing the period an attacker has to exploit vulnerabilities such as CVE-2024-6387.
In summary, this vulnerability could allow attackers to exploit the race condition to cause unexpected behaviour or security issues in the SSH service.
POC Availability | Yes | ||
Exploited in the wild | Unknown at this time | ||
Zero Day | No | ||
Attack Vector | Vulnerability can be exploited remotely | ||
Remote Code Execution | Code can be executed remotely |
Remediation
Search for malicious use of OpenSSH:
Identify to see whether OpenSSH has already been exploited
Configure LoginGraceTime:
Reduce the LoginGraceTime to a shorter value (e.g., 30 seconds) to minimise the window of vulnerability.
- As Sudo, edit: /etc/ssh/sshd_config
- Add/Edit: LoginGraceTime 0
- Run: systemctl restart sshd.service
Limit SSH access:
Apply firewall rules to limit SSH access to only necessary IP addresses and networks
Update OpenSSH:
Update OpenSSH: Install the latest version of OpenSSH (9.8 or later) to patch the vulnerability.
Thomas Murray Insights
At the time of writing this report, there are no known campaigns targeting this vulnerability, however there are a number of proof of concepts (PoC) available.
The "regreSSHion" vulnerability, CVE-2024-6387, is a critical flaw in OpenSSH that allows remote unauthenticated code execution on glibc-based Linux systems, potentially leading to root-level access. This poses a significant security risk as it can result in full system compromise. Organisations must urgently update OpenSSH, enhance monitoring for suspicious activity, and bolster security measures such as firewalls and intrusion detection systems to mitigate this threat. This vulnerability underscores the importance of regular software updates and robust security protocols.
References
- https://nvd.nist.gov/vuln/detail/CVE-2024-6387
- https://www.splunk.com/en_us/blog/security/cve-2024-6387-regresshion-vulnerability.html
- https://www.openssh.com/txt/release-9.8
Need assistance?
Thomas Murray is available to help. Please click on the button below to get in contact.
Thomas Murray cyber alerts
Subscribe to stay up to date with developing threats in the cyber landscape
Insights
An overview of the TIBER-EU methodology
The TIBER-EU methodology is a comprehensive framework designed to enhance the cyber resilience of financial institutions.
Five minutes with the PE cyber experts
Ed Starkie and Ben Hawkins gave us five minutes of their time to run through the current state of cyber security for private equity.
Understanding supply chain and concentration risks in cloud services
The major incident on Friday, 19 July highlighted the high levels of concentration risk emerging from our technology landscape.
Where to start with cyber security for private equity
Cyber security for private equity (PE) firms is a central concern given the sensitive nature of the data they handle.