Unveiling the CVE-2024–6387: OpenSSH 'RegreSSHion' Vulnerability

On July 1, 2024, a critical cross-compete vulnerability was discovered in the OpenSSH server (sshd) on glibc-based Linux systems. This vulnerability, called RegreSSHion and tracked as CVE-2024–6387, can cause unauthenticated remote execution (RCE) with root privileges based on glibc, an open-source implementation of the C standard library. This risk is rated as High Risk (CVSS 8.1).

Using tools like Censys and Shodan, we found over 14 million OpenSSH servers on the Internet that could be vulnerable to attacks. Data from Qualys CSAM 3.0 shows that about 700,000 of these servers are directly exposed to the Internet and have security weaknesses. This means 31% of all exposed OpenSSH servers in our customer network are at risk. Additionally, over 0.14% of these servers run outdated versions of OpenSSH that no longer receive support or updates, making them especially vulnerable.

Overview On  CVE-2024-6387:

- Vulnerability: Remote Unauthenticated Code Execution (CVE-2024-6387)
- Affected Versions: OpenSSH 8.5p1 through 9.8p1
- Architecture: Concept primarily demonstrated on 32-bit (x86) systems, but 64-bit (amd64) systems may also be at risk
- Systems: Primarily affects glibc-based Linux distributions
- Impact: Exploitation could lead to root-level access
- Complexity: High; exploitation requires precise timing and multiple attempts
- Current Status: A patch has been released with OpenSSH 9.8p1

Let's first understand more about OpenSSH

OpenSSH, or Open Secure Shell, is an essential tool in the realm of enterprise cybersecurity. It provides robust encryption, authentication, and secure tunnelling capabilities, crucial for protecting sensitive data and maintaining the integrity of communication channels within an organization.

Enhancing Infrastructure Security

By integrating OpenSSH into their infrastructure, enterprises can enhance their overall security posture. OpenSSH's logging and monitoring capabilities provide valuable insights into access patterns and potential security threats, allowing administrators to detect and respond to suspicious activities promptly. Furthermore, regular updates and patches to OpenSSH help mitigate vulnerabilities and protect against emerging threats.

Compliance and Regulatory Requirements

Utilizing OpenSSH can also aid organizations in meeting compliance and regulatory requirements related to data security and privacy. Many industry standards and regulations mandate encryption and secure access controls, and OpenSSH provides a robust framework to fulfil these obligations. By adhering to these standards, enterprises can avoid costly fines and reputational damage associated with data breaches and non-compliance.

Triggering the regreSSHion vulnerability

CVE-2024-6387 is a critical vulnerability in OpenSSH versions 8.5p1 to 9.8p1 on glibc-based Linux systems. It stems from a race condition in the signal handler, allowing remote attackers to execute arbitrary code as root, leading to complete system compromise.

Vulnerability Details

Signalling problem:

The OpenSSH server (sshd) had a problem processing the SIGALRM signal. Signal handlers call functions such as Syslog () asynchronously, which leaves the body unbalanced. An attacker could use this vulnerability to manipulate memory and execute arbitrary code.

Relation with old CVE 2006-5051:

This issue is a rollback of a vulnerability from 2006 (CVE-2006-5051) and also contains a coupling issue. Changes to the OpenSSH logging system in version 8.5p1 inadvertently re-emerged a similar vulnerability.

Exploitation Conditions:

To exploit this vulnerability, several things must be done:

• The target must be a vulnerability in OpenSSH (8.5p1 to 9.8p1) on a glibc-based Linux system.
• The attacker must have a clear opportunity to exploit the challenge.
• The nature of the race often requires multiple tests.
• This vulnerability exploits special features of the glibc memory allocator, making it useful on Linux systems.

Fixing CVE-2024-6387

To mitigate CVE-2024-6387, update your OpenSSH server package. This will automatically restart the SSH daemon:

sudo apt update && sudo apt install openSSH-server

For Ubuntu Pro users, use the following command:

sudo pro fix CVE-2024-6387

All Ubuntu versions from 16.04 LTS onwards have the unattended upgrades service, which automatically installs security updates within 24 hours of release.

Protecting Your Servers from Exploitation

Versions of OpenSSH up to 4.4p1, as well as versions from 8.5p1 to 9.7p1 on glibc-based Linux systems, are vulnerable to CVE-2024-6387. Notably, OpenBSD-based servers are not affected, so administrators of those systems can rest a bit easier. For everyone else, it is crucial to update sshd to version 9.8 as soon as possible.

Immediate Actions to Take

1. Update OpenSSH: The most effective measure is to upgrade to OpenSSH version 9.8. This update patches the vulnerability and secures your system against this specific exploit.
2. Temporary Mitigation: If you cannot update immediately, set the login timeout to zero (LoginGraceTime=0) in your sshd_config file. This step can help mitigate the risk but be aware that it might make your SSH server more vulnerable to DDoS attacks.
3. Stricter Access Control: Enhance your SSH access controls using firewalls and other network security tools. Limit SSH access to only trusted IP addresses and consider using VPNs for remote access to reduce exposure to potential attackers.

By taking these steps, you can significantly reduce the risk of exploitation and better secure your servers against potential threats.

Stay tuned for more insights and tips in our Cyber Security World.

Are you curious to know how we can help your organisation stay secure from such attacks and reduce your human risk and attack surface? Contact us!