Free Trial
|
Login
Free Trial
Login
Platform

Platform

I want to

report
WHITEPAPER Picus Red Report 2024
white paper
DATASHEET Security Validation Platform
Use Cases

Use Cases

Frameworks

Group
WHITEPAPER Building a Robust Defense-in-Depth Strategy with Breach and Attack Simulation (BAS)
webinar
ON-DEMAND Top Ten ATT&CK Techniques: The Rise of ‘Hunter-Killer’ Malware
Research

RESEARCH

LEARNING

whitepaper
Whitepaper Modernize Your SOC with Breach and Attack Simulation
report (1)
REPORT Blue Report: Effective Threat Exposure Management
Resources

RESOURCES

LEARNING

Group
WHITEPAPER Double Your Threat Blocking in 90 Days
webinar
UPCOMING WEBINAR Validating Cloud Effectiveness with Attack Simulation
Company

COMPANY

PARTNERS

webinar
UPCOMING WEBINAR Validating Cloud Effectiveness with Attack Simulation
Data sheet
DATASHEET The Pioneer of Breach & Attack Simulation
GET A DEMO

OpenSSH regreSSHion CVE-2024-6387 Vulnerability: Exploitation & Mitigation

Suleyman Ozarslan, PhD & Picus Labs | July 01, 2024

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

In cybersecurity, old ghosts often return to haunt us, but rarely with such severity as seen in CVE-2024-6387, aptly dubbed "regreSSHion." Imagine waking up to find that a flaw patched nearly two decades ago has reemerged, leaving millions of systems vulnerable to unauthorized control. It's not a nightmare - it's the reality facing OpenSSH today. 

This critical vulnerability, now allowing unauthenticated remote code execution (RCE) with root privileges, threatens to undermine the very foundation of secure communications. In this post, we will explain the implications of regreSSHion, explore its potential impacts, and crucially, outline how you can protect your systems against this critical threat.

Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform

What is the CVE-2024-6387 OpenSSH regreSSHion Vulnerability?

On July 1, 2024, a significant security flaw was identified in OpenSSH, specifically affecting glibc-based Linux systems [1]. This vulnerability, designated as CVE-2024-6387, allows for unauthenticated remote code execution (RCE) with root privileges. It's a critical flaw arising from a signal handler race condition in the OpenSSH server component (sshd), which is configured to listen for connections from client applications.

Detailed security analysis revealed that this flaw is essentially a regression of the CVE-2006-5051 vulnerability, which was patched 18 years ago but inadvertently reintroduced with OpenSSH version 8.5p1 in October 2020. This recent discovery underscores the importance of thorough regression testing to prevent the reintroduction of previously patched vulnerabilities.

Current Status and Discoveries Related to OpenSSH (CVE-2024-6387):

Researchers from the Qualys Threat Research Unit (TRU) discovered CVE-2024-6387, finding that over 14 million potentially vulnerable instances of OpenSSH servers are exposed to the internet. While this vulnerability primarily impacts glibc-based Linux systems, OpenBSD systems are unaffected due to a specific security mechanism introduced by OpenBSD in 2001.

Currently, there have been no confirmed instances of exploitation.

Vulnerability Details:

  • Sigalrm Handler Issue: When a client fails to authenticate within LoginGraceTime (default is 120 seconds), sshd's SIGALRMhandler is called asynchronously, invoking various functions not safe for asynchronous signal contexts.
  • Remote Code Execution: This condition ultimately can be exploited for unauthorized remote code execution with root privileges due to async-unsafe calls within the signal handler.

Impact of the OpenSSH regreSSHion Vulnerability

The implications of CVE-2024-6387 are severe. Successful exploitation leads to full system compromise, granting attackers the ability to execute arbitrary code with the highest privileges. This enables the installation of malware, extraction of sensitive data, and establishment of persistent backdoors for further exploits.

Qualys researchers noted that exploiting this vulnerability typically requires multiple attempts, and under lab conditions, the attack takes an average of 6-8 hours of continuous connection attempts on 32-bit systems with Address Space Layout Randomization (ASLR).

Log4Shell vs. regreSSHion: A Comparative Analysis of Impact

While both Log4Shell (CVE-2021-44228) and regreSSHion (CVE-2024-6387) present severe security challenges, Log4Shell is arguably more critical due to its broader scope and ease of exploitation. Log4Shell impacted an extensive array of applications and services that rely on the Apache Log4j library, making it a globally pervasive threat. Its straightforward exploitation method, which allowed attackers to execute remote code by simply sending crafted data to a vulnerable system, resulted in immediate and widespread malicious activity. In contrast, regreSSHion targets specific OpenSSH server instances on glibc-based Linux systems, predominantly affecting secure communication infrastructure. Although regreSSHion's exploitation involves a complex race condition and multiple attempts, leading to unauthorized root access and potential full system compromise, its current scope is narrower.

Affected Versions:

  • OpenSSH before 4.4p1: Vulnerable unless patched for CVE-2006-5051 and CVE-2008-4109.
  • OpenSSH 8.5p1 to 9.7p1: Vulnerable due to regression of CVE-2006-5051.

Fixed versions:

  • 1:8.4p1-5+deb11u3
  • 1:9.2p1-2+deb12u3

Exploitation Scenario:

An attacker who successfully exploits this vulnerability gains complete control over the affected server. This means they could install backdoors, exfiltrate or manipulate data, and propagate through the network by compromising additional systems along the way.

What Should Organizations Do for Remediation?

Given the critical nature of CVE-2024-6387, immediate action is necessary to mitigate this risk:

Steps to Secure Your Systems:

  • Apply Patches: Update OpenSSH to the latest version that includes patches for CVE-2024-6387.
  • Limit SSH Access: Use network-based controls to limit SSH access and enforce segmentation to reduce attack surface.
  • Configure LoginGraceTime: As a temporary measure, setting LoginGraceTime to 0 can mitigate risk but also exposes the system to denial of service attacks due to the exhaustion of allowed connections. Therefore, use this mitigation strategy with limiting SSH 

Configuration Adjustment:

To adjust LoginGraceTime, modify the /etc/ssh/sshd_config :

LoginGraceTime 0

Conclusion

CVE-2024-6387, known as regreSSHion, is a critical vulnerability reminiscent of past issues that have resurfaced due to reintroductions in software updates. Immediate action, including patch application and configuration changes, is essential to protect against potential remote code execution attacks that can compromise entire systems. Regular security assessments and keeping abreast of updates from security advisories will further bolster defenses against such vulnerabilities.

For further information and detailed technical guidance, please refer to the latest advisories from OpenSSH maintainers. Stay vigilant and ensure your systems are patched and configured securely.

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof the Picus Security Validation Platform.

References

[1] The regreSSHion Bug: https://www.qualys.com/regresshion-cve-2024-6387/