What is CVE-2024-6387?
regreSShion, tracked as CVE-2024-6387, is an unauthenticated remote command execution (RCE) vulnerability that impacts OpenSSH (sshd) on Linux based systems. The vulnerability is attributed to a signal handling race condition that when exploited could result in arbitrary command execution with root privileges. This vulnerability was originally tracked as CVE-2006-5051 and patched, however updates to OpenSSH inadvertently reintroduced the vulnerability or regressed a patch. The vulnerable code was first included in OpenSSH 8.5p1 (October 2020) and present in all subsequent releases. The Qualys research team responsible for disclosing the bug has not released exploit code, however the research is sufficiently detailed that a skilled, motivated adversary could bridge this gap. Successful exploitation is complex, but the target volume is extremely high, with an estimated 700,000 vulnerable servers exposed to the internet (based on Shodan data).
This is a critical vulnerability. Successful exploitation facilitates remote command execution, which can result in malware deployment, host compromise, or lateral movement within a private network.
CVE | CWE | CVSSv3 | Confidence | EPSS |
CVE-2024-6387 | CWE-364 Signal Handler Race Condition | 8.1 High | High | 0.791 High |
Severity: Critical
- Credentials are NOT required
- Millions of potential targets
- High level of complexity
- Exploit code in public domain
How is it exploited?
This vulnerability is exploitable remotely on glibc-based Linux systems, where syslog() itself calls async-signal-unsafe functions (for example, malloc() and free()): an unauthenticated remote code execution as root, because it affects sshd’s privileged code, which is not sandboxed and runs with full privileges.
How do I protect myself?
Update to OpenSSH (sshd) version 9.8p1 or later.
Who is affected by this?
Product | Affected Versions |
OpenSSH | Earlier than 4.4p1
8.5.p1 8.6.p1 to 9.7p1 |
Mitigating Factors?
if sshd cannot be updated or recompiled, this signal handler race condition can be fixed by simply setting LoginGraceTime to 0 in the configuration file. This makes sshd vulnerable to a denial of service (the exhaustion of all MaxStartups connections), but it makes it safe from the remote code execution presented in this advisory.