Table of Contents
On July 1, 2024, a new OpenSSH unauthenticated remote code execution (RCE) vulnerability dubbed regreSSHion was reported, affecting glibc-based Linux systems. This vulnerability, identified as CVE-2024-6387, allows remote attackers to execute arbitrary code as root due to a signal handler race condition in sshd.
OpenSSH regreSSHion Vulnerability
OpenSSH regreSSHion Vulnerability
History: 01/07/2024 --- v1.0 -- Initial publication
Summary
On July 1, 2024, a new OpenSSH unauthenticated remote code execution (RCE) vulnerability dubbed regreSSHion was reported, affecting glibc-based Linux systems. This vulnerability, identified as CVE-2024-6387, allows remote attackers to execute arbitrary code as root due to a signal handler race condition in sshd [1].
Technical Details
This vulnerability, if exploited, could lead to full system compromise, where an attacker can execute arbitrary code with the highest privileges, resulting in a complete system takeover, installation of malware, data manipulation, and the creation of backdoors for persistent access. It could facilitate network propagation, allowing attackers to use a compromised system as a foothold to traverse and exploit other vulnerable systems within the organization [2].
Affected Products
The regreSSHion flaw impacts OpenSSH servers on Linux from version 8.5p1 up to, but not including 9.8p1 [1]. Versions 4.4p1 up to, but not including 8.5p1 are not vulnerable to CVE-2024-6387 thanks to a patch for CVE-2006-5051, which secured a previously unsafe function [1]. Versions older than 4.4p1 are vulnerable to regreSSHion unless they are patched for CVE-2006-5051 and CVE-2008-4109. OpenBSD systems are not impacted by this flaw thanks to a secure mechanism introduced back in 2001 [1].
Recommendations
CERT-EU recommends to review and apply the patches from Linux distribution security bulletins, including but not limited to:
- Ubuntu [3]
- Debian [4]
- RedHat [5]
However, if it cannot be updated immediately, set the LoginGraceTime to 0 in the sshd configuration file, but note that this can expose the server to denial-of-service attacks [1].
References
- [1] https://www.bleepingcomputer.com/news/security/new-regresshion-openssh-rce-bug-gives-root-on-linux-servers/
- [2] https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server
- [3] https://ubuntu.com/security/CVE-2024-6387
- [4] https://security-tracker.debian.org/tracker/CVE-2024-6387
- [5] https://access.redhat.com/security/cve/cve-2024-6387
```htmlMITRE ATT&CK Matrix Analysis of CVE-2024-6387
MITRE ATT&CK Matrix Analysis for regreSSHion (CVE-2024-6387)
Advisory Summary: An OpenSSH unauthenticated remote code execution (RCE) vulnerability has been reported on July 1, 2024. Identified as CVE-2024-6387, it affects glibc-based Linux systems and could lead to full system compromise.
Potential Attacker Groups
- APT Groups targeting Linux servers
- Cyber Criminals looking for system takeover opportunities
- Insider Threat Actors with access to network segments
MITRE ATT&CK Enterprise Matrix
| Techniques & Sub-techniques | Description | Mitigation |
|---|---|---|
| T1190 - Exploit Public-Facing Application | The CVE-2024-6387 vulnerability could be exploited by attackers targeting sshd on public facing servers. | Apply security patches as recommended by Linux distribution security bulletins [3] [4] [5]. |
| T1068 - Exploitation for Privilege Escalation | Exploiting this vulnerability can give attackers root privileges on the system. | Regularly update and patch sshd and other critical components of the OS. |
| T1072 - Software Deployment Tools | Compromised systems could be used to deploy malware across the network. | Monitor software deployment tools and their usage patterns for unusual activity. |
| T1021 - Remote Services | Attackers can move laterally through the network by exploiting other OpenSSH servers. | Limiting network access to critical servers and applying principle of least privilege. |
MITRE ATT&CK Mobile Matrix
While OpenSSH vulnerabilities primarily affect servers, there are implications for mobile devices that utilize SSH for remote management or connectivity.
| Techniques & Sub-techniques | Description | Mitigation |
|---|---|---|
| M0 - Elevated Privilege Requirements | An attacker controlling an SSH server could impact the mobile device if it relies on SSH for management. | Ensure mobile devices are updated and SSH configurations are secure. |
MITRE ATT&CK ICS Matrix
Industrial Control Systems that use Linux with OpenSSH could be at risk if they're accessible from or connected to corporate networks.
| Techniques & Sub-techniques | Description | Mitigation |
|---|---|---|
| T081 - Exploitation of Remote Services | ICS systems communicating through SSH could be compromised from remote locations. | Apply network segmentation policies and secure remote access protocols. |
References
- BleepingComputer Advisory on CVE-2024-6387
- Qualys Research Blog on regreSSHion
- Ubuntu Security Notice for CVE-2024-6387
- Debian Security Tracker for CVE-2024-6387
- Red Hat CVE Database Entry for CVE-2024-6387
```
This post was generated entirely by an AI language model. Source: CERT EU
