CVE-2024-6387 - regreSSHion Remote Code Execution vulnerability seen in OpenSSH

Earlier this week, on Monday, July 1^st, a security regression (CVE-2006-5051) was published in OpenSSH’s server (sshd). Basically, there is a race condition that can lead sshd to handle some signals in an unsafe manner. The worry is that an unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set period.

What is OpenSSH?

OpenSSH is the premier connectivity tool for remote login using the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, OpenSSH provides an extensive suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options.

How likely is this vulnerability to be exploited in the wild?

Till this point, no exploitation of the vulnerability has been seen. The likelihood that the regreSSHion Remote Code Execution (RCE) vulnerability in OpenSSH will be exploited in the wild is currently very low. The exploit is complex and requires a pre-emptive knowledge of the attacked Linux target as well as several hours of look-alike password brute-force attempts with a combination of unprotected DDoS attack victims.

regreSSHion vulnerability

This is a High severity vulnerability with a CVSS v3 base score of 8.1.

Qualys researchers have discovered a signal handler race condition vulnerability in an OpenSSH server (sshd) that allows unauthenticated remote code execution as root on glibc-based Linux systems, affecting its default configuration.

Affected OpenSSH versions

OpenSSH versions earlier than 4.4p1 that are not patched for CVE-2006-5051 and CVE-2008-4109.
OpenSSH versions from 8.5p1 up to, but not including, 9.8p1 due to the accidental removal of a critical component in a function.

How to be protected against exploitation

Relevant personnel in the organization should map devices that are running an affected OpenSSH version and patch those devices.

If patch management isn’t currently feasible, configuring LoginGraceTime to 0 will prevent the RCE.

Check Point CloudGuard Customers

Check Point CloudGuard Workload Protection (AWP, K8s Image Assurance) can detect this CVE.

Resources

https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server

https://nvd.nist.gov/vuln/detail/CVE-2024-6387?ref=franklinetech.com

https://www.openssh.com/

https://www.cvedetails.com/cve/CVE-2024-6387/

See how use cases come to life through Check Point's customer stories.

See how use cases come to life through Check Point's customer stories.

See how use cases come to life through Check Point's customer stories.

AI-Powered Threat Prevention

AI-Powered Threat Prevention

AI-Powered Threat Prevention

AI-Powered Threat Prevention

AI-Powered Threat Prevention

Learn hackers inside secrets and beat them at their own game

Learn hackers inside secrets and beat them at their own game

Learn hackers inside secrets and beat them at their own game

Learn hackers inside secrets and beat them at their own game

Learn hackers inside secrets and beat them at their own game

Learn hackers inside secrets and beat them at their own game

Check Point is 100% Channel. Grow Your Business with Us!

See how use cases come to life through Check Point's customer stories.

CVE-2024-6387 – regreSSHion Remote Code Execution vulnerability seen in OpenSSH

You may also like

Rafel RAT, Android Malware from Espionage to Ransomware Operations

Protect Yourself from Summer Vacation Scams: Stay Cyber Aware During Your Vacation

May 2024’s Most Wanted Malware: Phorpiex Botnet Unleashes Phishing Frenzy While LockBit3 Dominates Once Again

Chinese Espionage Campaign Expands to Target Africa and The Caribbean