Site icon Check Point Blog

CVE-2024-6387 – regreSSHion Remote Code Execution vulnerability seen in OpenSSH

On Monday, July 1st, a security regression ( CVE-2024-6387was discovered in  OpenSSH’s server (sshd), that was previously patched in 2006.

According to Qualys, “This vulnerability is challenging to exploit due to its remote race condition nature, requiring multiple attempts for a successful attack. This can cause memory corruption and necessitate overcoming Address Space Layout Randomization (ASLR)”

What is OpenSSH?

OpenSSH is the premier connectivity tool for remote login using the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, OpenSSH provides an extensive suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options.

regreSSHion vulnerability

This is a High severity vulnerability with a CVSS v3 base score of 8.1.

Qualys researchers have discovered a signal handler race condition vulnerability in an OpenSSH server (sshd) that allows unauthenticate

d remote code execution as root on glibc-based Linux systems, affecting its default configuration.

How likely is this vulnerability to be exploited in the wild?

To date, no exploitation of the vulnerability has been seen.  The exploit is complex and requires prior knowledge of a Linux target, as well as several hours of look-alike password brute-force attempts with a combination of unprotected DDoS attack victims.

Affected OpenSSH versions

  1. OpenSSH versions earlier than 4.4p1 that are not patched for CVE-2006-5051 and CVE-2008-4109.
  2. OpenSSH versions from 8.5p1 up to, but not including, 9.8p1 due to the accidental removal of a critical component in a function.

How protect your organization against exploitation

Relevant personnel in the organization should map devices that are running an affected OpenSSH version and patch those devices.

If patch management isn’t currently feasible, configuring LoginGraceTime to 0 will prevent the RCE.

Check Point Customers

Quantum Force & CloudGuard Network are not vulnerable. Customers can learn more in Check Point SK65269.

Quantum Spark does utilize a vulnerable version of OpenSSH in R81.10.x and above new firmware is available that mitigates the vulnerability.  Please visit Check Point SK182459 for more information and download links.

The Check Point IPS team has also released a new protection that prevents exploitation of this vulnerability allowing customers to virtually patch their environments. Customers should ensure that their IPS signatures are up to date.

For CloudGuard CNAPP customers, a new Toxic Combination has also been dedicated to detecting the vulnerability.

Resources

https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server

https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt

https://nvd.nist.gov/vuln/detail/CVE-2024-6387?ref=franklinetech.com

https://www.openssh.com/

https://www.cvedetails.com/cve/CVE-2024-6387/

Exit mobile version