What you need to know: OpenSSH RegreSSHion CVE-2024-6387

- -

CVE-2024-6387 is a serious flaw affecting OpenSSH versions 8.5p1 to 9.7p1, discovered to be a regression of an 18-year-old issue (CVE-2006-5051). This vulnerability, a race condition in sshd's signal handler, permits remote code execution (RCE) with root privileges on glibc-based Linux systems, presenting a high risk of total system compromise. Organizations are recommended to patch OpenSSH instances as soon as possible.

Overview of the OpenSSH Vulnerability

OpenSSH is a collection of software tools that facilitate secure remote login through the SSH encryption protocol. The vulnerability, believed to impact 14 million internet-facing OpenSSH instances, could lead to a full system compromise and takeover, allowing threat actors to execute arbitrary code with the highest privileges, bypass security mechanisms, steal data, and maintain persistent access.

Exploiting CVE-2024-6387

At the time of publishing, the vulnerability is only known to impact versions between 8.5p1 and 9.7p1 on glibc-based Linux systems. While the vulnerability, a signal handler race condition, has only been shown to be exploitable in specific conditions, organizations should patch their OpenSSH instances as possible.

Race conditions occur when multiple processes access and manipulate shared resources concurrently without proper synchronization, leading to unpredictable behavior. In CVE-2024-6387, this manifests in the way OpenSSH's signal handling interacts with its processes, creating a window for exploitation.

Furthermore, in an advisory OpenSSH stated that “Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept." 

Mitigating CVE-2024-6387

  • Patch Systems: OpenSSH released version 9.8 on July 1, 2024, addressing this vulnerability. Ensure all systems are updated.
  • Network Controls: Implement firewalls and intrusion detection/prevention systems to monitor and control SSH traffic, mitigating the risk of prolonged connections.

If you are unable to take these actions, this signal handler
race condition can be fixed by simply setting LoginGraceTime to 0 in the configuration file. This makes sshd vulnerable to a denial of service
(the exhaustion of all MaxStartups connections), but it makes it safe
from the remote code execution presented in this advisory.

CVE-2024-6387 poses a critical threat due to its potential for RCE with root privileges. Despite the complexity of exploitation, the severity of the impact necessitates prompt action. Updating to OpenSSH 9.8 and strengthening network defenses are essential steps in mitigating this risk.

{{related-article}}

From Vulnerability Management to Continuous Threat Exposure Management

{{quote-1}}

,

{{quote-2}}

,

Related articles.

All resources

Schwachstellenwarnungen

Exim-tremely Critical? Do you need to worry about CVE-2024-39929

Exim-tremely Critical? Do you need to worry about CVE-2024-39929

Schwachstellenwarnungen

Microsoft Patch Tuesday September 2024: Four Zero Days and More Patched

Microsoft Patch Tuesday September 2024: Four Zero Days and More Patched

Start your journey today

Experience faster, simpler, and easier automated penetration testing in a quick 20-minute demo.

Book a demo