CVE-2024-6387, also known as regreSSHion, is a critical security vulnerability in OpenSSH’s server component (sshd) on glibc-based Linux systems. This flaw allows for unauthenticated remote code execution (RCE) with root privileges, posing a significant risk to affected systems.
In this article, we will explain the OpenSSH vulnerability known as regreSSHion (CVE-2024-6387), detail the steps you need to take immediately, list the affected versions, and guide you on how to check if your system is vulnerable.
What is CVE-2024-6387 (regreSSHion)?
regreSSHion (CVE-2024-6387) is a vulnerability that enables attackers to execute arbitrary code on a target system without needing to authenticate. The name regreSSHion highlights the nature of the flaw as a regression bug in OpenSSH. This means that an attacker can gain full root access to the system, potentially leading to complete system compromise, data theft, and persistent unauthorized access.
- Type of Vulnerability: Signal handler race condition in OpenSSH’s server (sshd).
- Affected Systems: glibc-based Linux systems.
- Impact: Unauthenticated remote code execution with root privileges.
- Default Configuration: The vulnerability affects OpenSSH’s default configuration and does not require user interaction.
The Qualys Threat Research Unit (TRU) discovered that this vulnerability is a regression of an earlier flaw, CVE-2006-5051, which had been patched previously. The regression occurred due to changes or updates made in October 2020 with the release of OpenSSH version 8.5p1, inadvertently reintroducing the issue. This makes regreSSHion the first significant unauthenticated RCE vulnerability in OpenSSH in nearly two decades.
Exploitation
- Mechanism: If a client does not authenticate within 120 seconds (as defined by the LoginGraceTime setting), sshd’s SIGALRM handler is called asynchronously in a manner that is not async-signal-safe.
- Requirements: The attack requires continuous connections over a period of 6-8 hours to succeed under lab conditions, particularly on 32-bit Linux/glibc systems with address space layout randomization (ASLR).
Affected versions by OpenSSH vulnerability
- Versions earlier than 4.4p1: Vulnerable unless patched for CVE-2006-5051 and CVE-2008-4109.
- Versions from 4.4p1 to 8.5p1: Not vulnerable due to a previous patch.
- Versions from 8.5p1 to 9.7p1: Vulnerable due to the accidental removal of a critical security component.
What do you need to do now?
To mitigate the risks associated with regreSSHion (CVE-2024-6387), users should:
- Apply the Latest Patches: Ensure that OpenSSH is updated to the latest version where the vulnerability is addressed.
- Limit SSH Access: Use network-based controls to restrict SSH access.
- Enforce Network Segmentation: Implement segmentation to limit unauthorized access and lateral movement within the network.
OpenSSH version check
How to check OpenSSH version? There are two main ways to check your OpenSSH version:
- Using the
ssh -V
command: This is the simplest and most common way. Thessh
command with a capitalV
flag will display the version information for the OpenSSH client installed on your system. This works on Linux, macOS, and even Windows with OpenSSH installed. - Checking the remote server version (if applicable): If you want to know the version of the OpenSSH server running on a remote machine, you can use the
ssh
command with the-v
flag (lowercase v) to connect in verbose mode. This will display various connection details, including the version of the remote OpenSSH server.
CVE-2024-6387 (regreSSHion) represents a significant threat due to its ability to grant unauthenticated remote code execution with root privileges. The reappearance of such a vulnerability underscores the importance of rigorous regression testing and prompt application of security patches. By taking proactive measures, organizations can protect their systems from the severe implications of this vulnerability.
All images are generated by Eray Eliaçık/Bing