Get a demo

Voyager18 (research)

CVE-2024-6387: How to fix the regreSSHion vulnerability

CVE-2024-6387, or regreSSHion, allows remote unauthenticated attackers to execute code on OpenSSH servers.

Yair Divinsky | July 1, 2024

CVE-2024-6387, dubbed regreSSHion, has been identified in the OpenSSH server. This vulnerability enables remote unauthenticated attackers to execute arbitrary code on the target server, presenting a severe risk to systems that utilize OpenSSH for secure communications. 

As with last July’s CVE-2023-38408 affecting OpenSSH, this vulnerability is already making waves in the cyber security community.

CVE-2024-6387 is the first of two vulnerabilities discovered in OpenSSH in July 2024, alongside CVE-2024-6409.

Here’s everything you need to know.

RegreSSHion: TL;DR

Affected products: 

OpenSSH:

  • Versions before 4.4p1
  • Versions 8.5p1 to 9.8p1

Product category: 

Server & network

Severity: 

Critical 

Type: 

Remote code execution 

Impact: 

Confidentiality, integrity, availability 

PoC: 

Link 

Exploit in the wild 

No current evidence 

CISA Catalog 

No 

Remediation action 

Update to the latest OpenSSH version, restrict SSH access to trusted networks, use key-based authentication, and monitor logs for unusual activity. As a temporary fix, set LoginGraceTime to 0 if updating is not feasible. 

MITRE advisory 

Read more 

 

 

What is the CVE-2024-6387 “regreSSHion vulnerability?

CVE-2024-6387, referred to as regreSSHion, is a critical remote unauthenticated code execution vulnerability in the OpenSSH server on glibc-based Linux systems.

Discovered by the security researchers at Qualys, this flaw results from improper input validation in OpenSSH’s handling of certain SSH connections.

Specifically, the vulnerability is due to a buffer overflow, which occurs when an attacker sends a specially crafted request to the OpenSSH server, causing the buffer to overflow and allowing arbitrary code execution. 

This vulnerability is rooted in the way OpenSSH processes user-controlled data during the SSH handshake. During this process, the OpenSSH server fails to properly validate the length of certain inputs, leading to a buffer overflow condition.

By sending a maliciously crafted request, an attacker can overflow the buffer, overwriting adjacent memory, including critical function pointers or return addresses.

This allows the attacker to gain control of the execution flow and run arbitrary code with the same privileges as the OpenSSH process, which often operates with elevated privileges. 

 

Does regreSSHion affect me?

To determine if your systems are affected by CVE-2024-6387, you need to evaluate your use of OpenSSH. This vulnerability impacts OpenSSH server versions prior to the latest patch.

If your systems use OpenSSH for remote management and are exposed to the internet, they are at significant risk. 

Affected OpenSSH versions are: 

  • OpenSSH versions earlier than 4.4p1 are vulnerable to this signal handler race condition unless they are patched for CVE-2006-5051 and CVE-2008-4109. 
  • Versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable due to a transformative patch for CVE-2006-5051, which made a previously unsafe function secure. 
  • The vulnerability resurfaces in versions from 8.5p1 up to, but not including, 9.8p1 due to the accidental removal of a critical component in a function. 

OpenBSD systems are unaffected by this bug, as OpenBSD developed a secure mechanism in 2001 that prevents this vulnerability. 

Systems vulnerable to CVE-2024-6387 include those running affected versions of OpenSSH, particularly those with publicly accessible SSH servers.

If your OpenSSH deployment is exposed to untrusted networks or the internet, it is crucial to assess the version in use and take immediate action to mitigate the risk. 

 

Has CVE-2024-6387 been actively exploited in the wild?

As of the latest reports, there have been no confirmed instances of active exploitation of CVE-2024-6387 in the wild.

However, the nature of this vulnerability and the widespread use of OpenSSH mean that the risk of exploitation remains high. Cyber security experts urge immediate action to mitigate this risk due to the potential for severe consequences if the vulnerability is exploited.

 

Observations from the field 

In its advisory, The Qualys research team emphasized that the vulnerability could be exploited without any prior authentication, making it a severe threat to systems with public-facing SSH servers.

The potential impact includes unauthorized remote code execution, which can lead to complete system compromise, data breaches, and other malicious activities.  

Although there are no confirmed exploitation cases, the cyber security community is on high alert.

The ease with which this vulnerability can be exploited, and the critical role of OpenSSH in secure communications, necessitates proactive measures to protect affected systems. Researchers and security professionals continue to monitor for any signs of active exploitation. 

 

RegreSSHion: Reactions from around the web

As with any major vulnerability, CVE-2024-6387 has prompted particular attention and interest: 

 

CVE-2024-6387                       

 

How to fix CVE-2024-6387

Customers are advised to upgrade to OpenSSH 9.8 or later to remediate this vulnerability. This patch addresses the input validation flaw, ensuring that specially crafted requests cannot exploit the vulnerability. 

On June 6, 2024, this signal handler race condition was fixed by commit 81c1099 (“Add a facility to sshd(8) to penalize particular problematic client behaviors”), which moved the async-signal-unsafe code from sshd’s SIGALRM handler to sshd’s listener process, where it can be handled synchronously.

Since this fix is part of a large commit (81c1099), on top of an even larger defense-in-depth commit (03e3de4, “Start the process of splitting sshd into separate binaries”), it might prove difficult to backport. In that case, the signal handler race condition itself can be fixed by removing or commenting out the async-signal-unsafe code from the sshsigdie() function. 

In addition, Qualys’s recommendations for enterprises to safeguard against the threat: 

  1. Restrict Access: Limit SSH access to trusted networks and users only. Implement network access controls to restrict who can connect to your SSH servers. 
  2. Use Strong Authentication: Enhance security by using key-based authentication and disabling password-based logins where possible. 
  3. Monitor and Audit: Regularly monitor SSH access logs for unusual activity and audit your SSH configuration to ensure it follows security best practices. 

Finally, if sshd cannot be updated or recompiled, this signal handler race condition can be fixed by simply setting LoginGraceTime to 0 in the configuration file.

This makes sshd vulnerable to a denial of service (the exhaustion of all MaxStartups connections), but it makes it safe from the remote code execution presented in this advisory. 

 

Further reading

Each new vulnerability is a reminder of where we stand and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: 

  1. Q1 2024 Vulnerability Watch
  2. The MITRE ATT&CK framework: Getting started
  3. The true impact of exploitable vulnerabilities for 2024
  4. Vulnerability disclosure policy (and how to get it right)
  5. How to properly tackle zero-day threats

Get rid of silos;

Start owning exposure risk

Test drive the leader in exposure risk management