NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Acknowledge
NopSec_Resource_JustInTime_Generic_1

Just in Time Bulletin: CVE-2024-6387 regreSSHion Unauthenticated Remote Command Execution

Jul 15, 2024

What is CVE-2024-6387?

regreSShion, tracked as CVE-2024-6387, is an unauthenticated remote command execution (RCE) vulnerability that impacts OpenSSH (sshd) on Linux based systems. The vulnerability is attributed to a signal handling race condition that when exploited could result in arbitrary command execution with root privileges. This vulnerability was originally tracked as CVE-2006-5051 and patched, however updates to OpenSSH inadvertently reintroduced the vulnerability or regressed a patch. The vulnerable code was first included in OpenSSH 8.5p1 (October 2020) and present in all subsequent releases. The Qualys research team responsible for disclosing the bug has not released exploit code, however the research is sufficiently detailed that a skilled, motivated adversary could bridge this gap. Successful exploitation is complex, but the target volume is extremely high, with an estimated 700,000 vulnerable servers exposed to the internet (based on Shodan data). 

This is a critical vulnerability. Successful exploitation facilitates remote command execution, which can result in malware deployment, host compromise, or lateral movement within a private network.

CVE CWE CVSSv3 Confidence EPSS
CVE-2024-6387 CWE-364 Signal Handler Race Condition 8.1 High High 0.791 High

 

Severity: Critical

 

  • Credentials are NOT required
  • Millions of potential targets
  • High level of complexity
  • Exploit code in public domain

How is it exploited?

This vulnerability is exploitable remotely on glibc-based Linux systems, where syslog() itself calls async-signal-unsafe functions (for example, malloc() and free()): an unauthenticated remote code execution as root, because it affects sshd’s privileged code, which is not sandboxed and runs with full privileges.

How do I protect myself?

Update to OpenSSH (sshd) version 9.8p1 or later.

Who is affected by this?

Product Affected Versions
OpenSSH Earlier than 4.4p1

8.5.p1

8.6.p1 to 9.7p1

Mitigating Factors?

if sshd cannot be updated or recompiled, this signal handler race condition can be fixed by simply setting LoginGraceTime to 0 in the configuration file. This makes sshd vulnerable to a denial of service (the exhaustion of all MaxStartups connections), but it makes it safe from the remote code execution presented in this advisory.

Additional Resources About CVE-2024-6387