Skip to content

2024-066: Critical Vulnerability in OpenSSH

Table of Contents

On July 1, 2024, a new OpenSSH unauthenticated remote code execution (RCE) vulnerability dubbed regreSSHion was reported, affecting glibc-based Linux systems. This vulnerability, identified as CVE-2024-6387, allows remote attackers to execute arbitrary code as root due to a signal handler race condition in sshd.


OpenSSH regreSSHion Vulnerability

OpenSSH regreSSHion Vulnerability

History: 01/07/2024 --- v1.0 -- Initial publication

Summary

On July 1, 2024, a new OpenSSH unauthenticated remote code execution (RCE) vulnerability dubbed regreSSHion was reported, affecting glibc-based Linux systems. This vulnerability, identified as CVE-2024-6387, allows remote attackers to execute arbitrary code as root due to a signal handler race condition in sshd [1].

Technical Details

This vulnerability, if exploited, could lead to full system compromise, where an attacker can execute arbitrary code with the highest privileges, resulting in a complete system takeover, installation of malware, data manipulation, and the creation of backdoors for persistent access. It could facilitate network propagation, allowing attackers to use a compromised system as a foothold to traverse and exploit other vulnerable systems within the organization [2].

Affected Products

The regreSSHion flaw impacts OpenSSH servers on Linux from version 8.5p1 up to, but not including 9.8p1 [1]. Versions 4.4p1 up to, but not including 8.5p1 are not vulnerable to CVE-2024-6387 thanks to a patch for CVE-2006-5051, which secured a previously unsafe function [1]. Versions older than 4.4p1 are vulnerable to regreSSHion unless they are patched for CVE-2006-5051 and CVE-2008-4109. OpenBSD systems are not impacted by this flaw thanks to a secure mechanism introduced back in 2001 [1].

Recommendations

CERT-EU recommends to review and apply the patches from Linux distribution security bulletins, including but not limited to:

  • Ubuntu [3]
  • Debian [4]
  • RedHat [5]

However, if it cannot be updated immediately, set the LoginGraceTime to 0 in the sshd configuration file, but note that this can expose the server to denial-of-service attacks [1].

References


```htmlMITRE ATT&CK Matrix Analysis of CVE-2024-6387

MITRE ATT&CK Matrix Analysis for regreSSHion (CVE-2024-6387)

Advisory Summary: An OpenSSH unauthenticated remote code execution (RCE) vulnerability has been reported on July 1, 2024. Identified as CVE-2024-6387, it affects glibc-based Linux systems and could lead to full system compromise.

Potential Attacker Groups

  • APT Groups targeting Linux servers
  • Cyber Criminals looking for system takeover opportunities
  • Insider Threat Actors with access to network segments

MITRE ATT&CK Enterprise Matrix

Techniques & Sub-techniques Description Mitigation
T1190 - Exploit Public-Facing Application The CVE-2024-6387 vulnerability could be exploited by attackers targeting sshd on public facing servers. Apply security patches as recommended by Linux distribution security bulletins [3] [4] [5].
T1068 - Exploitation for Privilege Escalation Exploiting this vulnerability can give attackers root privileges on the system. Regularly update and patch sshd and other critical components of the OS.
T1072 - Software Deployment Tools Compromised systems could be used to deploy malware across the network. Monitor software deployment tools and their usage patterns for unusual activity.
T1021 - Remote Services Attackers can move laterally through the network by exploiting other OpenSSH servers. Limiting network access to critical servers and applying principle of least privilege.

MITRE ATT&CK Mobile Matrix

While OpenSSH vulnerabilities primarily affect servers, there are implications for mobile devices that utilize SSH for remote management or connectivity.

Techniques & Sub-techniques Description Mitigation
M0 - Elevated Privilege Requirements An attacker controlling an SSH server could impact the mobile device if it relies on SSH for management. Ensure mobile devices are updated and SSH configurations are secure.

MITRE ATT&CK ICS Matrix

Industrial Control Systems that use Linux with OpenSSH could be at risk if they're accessible from or connected to corporate networks.

Techniques & Sub-techniques Description Mitigation
T081 - Exploitation of Remote Services ICS systems communicating through SSH could be compromised from remote locations. Apply network segmentation policies and secure remote access protocols.

References

  1. BleepingComputer Advisory on CVE-2024-6387
  2. Qualys Research Blog on regreSSHion
  3. Ubuntu Security Notice for CVE-2024-6387
  4. Debian Security Tracker for CVE-2024-6387
  5. Red Hat CVE Database Entry for CVE-2024-6387

```


This post was generated entirely by an AI language model. Source: CERT EU

Latest

2024-117: Zero-Day Vulnerabilities in Palo Alto Networks PAN-OS

2024-117: Zero-Day Vulnerabilities in Palo Alto Networks PAN-OS

Palo Alto Networks released security updates for two actively exploited zero-day vulnerabilities in Palo Alto Networks PAN-OS. If exploited, these vulnerabilities could allow a remote unauthenticated attacker to gain administrator privileges, or a PAN-OS administrator to perform actions on the firewall with root privileges. It recommended applying the updates and

Members Public