Key summary
Title | regreSSHion |
Vendor | OpenSSH |
Product | sshd |
Affected Version | 8.5p1 to 9.7p1 |
CVE ID | CVE-2024-6387 |
CVSSv3 | 8.1 |
Risk Level | HIGH |
Thomas Murray Risk Score | 9.9 |
Description
CVE-2024-6387, also known as "regreSSHion," is a critical unauthenticated remote code execution (RCE) vulnerability in OpenSSH. This vulnerability allows attackers to execute arbitrary code on affected systems without authentication, posing a significant security risk. The issue stems from a flaw in how OpenSSH handles certain inputs, which can be exploited to gain unauthorised access and potentially control the system.
The LoginGraceTime parameter in OpenSSH specifies the duration for which a client is allowed to authenticate before the server disconnects. By default, it is set to 120 seconds. This triggers the SIGALRM signal, causing sshd's signal handler to execute. However, the signal handler invokes functions such as syslog(), which are not async-signal-safe, leading to potential race conditions. This setting is crucial for mitigating potential brute force attacks by limiting the time window attackers have to attempt authentication. Adjusting LoginGraceTime to a lower value can enhance security by reducing the period an attacker has to exploit vulnerabilities such as CVE-2024-6387.
In summary, this vulnerability could allow attackers to exploit the race condition to cause unexpected behaviour or security issues in the SSH service.
POC Availability | Yes | ||
Exploited in the wild | Unknown at this time | ||
Zero Day | No | ||
Attack Vector | Vulnerability can be exploited remotely | ||
Remote Code Execution | Code can be executed remotely |
Remediation
Search for malicious use of OpenSSH:
Identify to see whether OpenSSH has already been exploited
Configure LoginGraceTime:
Reduce the LoginGraceTime to a shorter value (e.g., 30 seconds) to minimise the window of vulnerability.
- As Sudo, edit: /etc/ssh/sshd_config
- Add/Edit: LoginGraceTime 0
- Run: systemctl restart sshd.service
Limit SSH access:
Apply firewall rules to limit SSH access to only necessary IP addresses and networks
Update OpenSSH:
Update OpenSSH: Install the latest version of OpenSSH (9.8 or later) to patch the vulnerability.
Thomas Murray Insights
At the time of writing this report, there are no known campaigns targeting this vulnerability, however there are a number of proof of concepts (PoC) available.
The "regreSSHion" vulnerability, CVE-2024-6387, is a critical flaw in OpenSSH that allows remote unauthenticated code execution on glibc-based Linux systems, potentially leading to root-level access. This poses a significant security risk as it can result in full system compromise. Organisations must urgently update OpenSSH, enhance monitoring for suspicious activity, and bolster security measures such as firewalls and intrusion detection systems to mitigate this threat. This vulnerability underscores the importance of regular software updates and robust security protocols.
References
- https://nvd.nist.gov/vuln/detail/CVE-2024-6387
- https://www.splunk.com/en_us/blog/security/cve-2024-6387-regresshion-vulnerability.html
- https://www.openssh.com/txt/release-9.8
Need assistance?
Thomas Murray is available to help. Please click on the button below to get in contact.
Thomas Murray cyber alerts
Subscribe to stay up to date with developing threats in the cyber landscape
Insights
The Digital Operational Resilience Act for private equity: All change for the relationship between firms and vendors
The EU’s Digital Operational Resilience Act (DORA) will apply from 17 January 2025.
Time for PE firms to focus on concentration risk
Ed Starkie and Ben Hawkins reveal why concentration risk poses a growing threat to PE portfolios – and why many firms are dangerously unprepared.
An overview of the TIBER-EU methodology
The TIBER-EU methodology is a comprehensive framework designed to enhance the cyber resilience of financial institutions.
Five minutes with the PE cyber experts
Ed Starkie and Ben Hawkins gave us five minutes of their time to run through the current state of cyber security for private equity.