Threat Response - Critical Vulnerability in OpenSSH - (regreSSHion - CVE-2024-6387)

 

On Monday July 1st 2024, The Qualys Threat Research Unit announced the discovery of a recently disclosed vulnerability in OpenSSH, known as CVE-2024-6387 / regreSSHion. The vulnerability allows a remote unauthenticated attacker to exploit a signal handler race condition in the default sshd configuration and leveraging this to perform unauthenticated remote code execution with root privileges. The vulnerability is a regression of the previously patched vulnerability CVE-2006-5051 and was introduced in October 2020 (OpenSSH 8.5p) and is therefore dubbed 'RegreSSHion'[1].

 

OpenSSH provides a secure channel over an unsecured network in a client-server architecture and its use is widespread in enterprises for remote server management and secure data connections. A race condition in OpenSSH server's handling of asynchronous signals could allow an attacker to cause memory corruption on vulnerable devices, which can be leveraged to achieve remote code execution with root privileges on glibc-based Linux systems. Qualys has identified 14 million potentially vulnerable OpenSSH server instances exposed to the internet [1]. This vulnerability affects OpenSSH server in the default configuration.

The following versions of OpenSSH server are affected:

OpenSSH server version 9.8p1, which is not vulnerable to CVE-2024-6387 is available for all vulnerable versions listed above.

 

An unauthenticated attacker could perform remote code execution as root on glibc-based Linux systems. Exploitability on Windows and macOS is likely but hasn't been confirmed at the time of writing. Based on this, we estimate the impact of this vulnerability as HIGH.

 

At the time of writing, we are not aware of any publicly available exploits. The exploitability of this vulnerability is not trivial and would potentially generate a lot of noise. Qualys has identified 14 million potentially vulnerable OpenSSH server instances exposed to the internet [1]. Because of this, we estimate the chance of the release of an exploit as HIGH. Until no exploit is available, we estimate the risk of this vulnerability as MEDIUM.

 

To mitigate the vulnerability, we urge readers to apply the latest available update for the OpenSSH server (version 9.8p1), which fixes the vulnerability. Additionally, we recommend to restrict SSH access using network-based controls such as firewalls and implement network segmentation to prevent lateral movement.

When it's not possible to update the OpenSSH server immediately, we recommend applying the following settings in the sshd configuration file of the corresponding vulnerable server(s):

Follow the mitigation steps listed above to mitigate the vulnerability.

 

Vulnerability Management customers will be informed in case vulnerable systems are detected in their infrastructure. 

We will monitor any developments regarding this vulnerability. If new critical information about this threat arises, we will reach out to you. You can call us by phone or send us an email if you would like additional information.

 

E-mail: soc@northwave.nl
Do you have an incident right now? Call our Incident Response Team: 00800 1744 0000

[1]: https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server#immediate-steps-to-mitigate-risk

[2]: https://lists.debian.org/debian-security-announce/2024/msg00135.html