Skip to content
arrow-alt-circle-up icon

Cyber Incident Call

arrow-alt-circle-up icon

00800 1744 0000

arrow-alt-circle-up icon

See all Threat Responses
On Monday July 1st 2024, The Qualys Threat Research Unit announced the discovery of a recently disclosed vulnerability in OpenSSH, known as CVE-2024-6387 / regreSSHion. The vulnerability allows a remote unauthenticated attacker to exploit a signal handler race condition in the default sshd configuration and leveraging this to perform unauthenticated remote code execution with root privileges. The vulnerability is a regression of the previously patched vulnerability CVE-2006-5051 and was introduced in October 2020 (OpenSSH 8.5p) and is therefore dubbed 'RegreSSHion'[1].
OpenSSH provides a secure channel over an unsecured network in a client-server architecture and its use is widespread in enterprises for remote server management and secure data connections. A race condition in OpenSSH server's handling of asynchronous signals could allow an attacker to cause memory corruption on vulnerable devices, which can be leveraged to achieve remote code execution with root privileges on glibc-based Linux systems. Qualys has identified 14 million potentially vulnerable OpenSSH server instances exposed to the internet [1]. This vulnerability affects OpenSSH server in the default configuration.
The following versions of OpenSSH server are affected:
  • OpenSSH server versions older than 4.4p1 are vulnerable to regreSSHion unless they are patched for CVE-2006-5051 and CVE-2008-4109
  • OpenSSH server versions from 4.4p1 up to, but not including 8.5p1 are not vulnerable to regreSSHion
  • OpenSSH server versions from 8.5p1 up to, but not including 9.8p1 are vulnerable to regreSSHion
  • OpenBSD systems are not impacted by this flaw
OpenSSH server version 9.8p1, which is not vulnerable to CVE-2024-6387 is available for all vulnerable versions listed above.
An unauthenticated attacker could perform remote code execution as root on glibc-based Linux systems. Exploitability on Windows and macOS is likely but hasn't been confirmed at the time of writing. Based on this, we estimate the impact of this vulnerability as HIGH.
At the time of writing, we are not aware of any publicly available exploits. The exploitability of this vulnerability is not trivial and would potentially generate a lot of noise. Qualys has identified 14 million potentially vulnerable OpenSSH server instances exposed to the internet [1]. Because of this, we estimate the chance of the release of an exploit as HIGH. Until no exploit is available, we estimate the risk of this vulnerability as MEDIUM.
To mitigate the vulnerability, we urge readers to apply the latest available update for the OpenSSH server (version 9.8p1), which fixes the vulnerability. Additionally, we recommend to restrict SSH access using network-based controls such as firewalls and implement network segmentation to prevent lateral movement.
When it's not possible to update the OpenSSH server immediately, we recommend applying the following settings in the sshd configuration file of the corresponding vulnerable server(s):
  • Set the 'LoginGraceTime' to 0
  • Note that this can expose the server to denial-of-service attacks.
What should you do?
Follow the mitigation steps listed above to mitigate the vulnerability.
What will Northwave do?
Vulnerability Management customers will be informed in case vulnerable systems are detected in their infrastructure. 
We will monitor any developments regarding this vulnerability. If new critical information about this threat arises, we will reach out to you. You can call us by phone or send us an email if you would like additional information.
Do you have an incident right now? Call our Incident Response Team: 00800 1744 0000


Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We will not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.