On Monday July 1, 2024, the Qualys Threat Research Unit (TRU) dropped a new Remote Unauthenticated Code Execution (RCE) vulnerability. This vulnerability, CVE-2024-6387, also known as “regreSSHion,” affects OpenSSH’s server (sshd). This blog post will cover the details of this critical vulnerability and provide actionable steps to mitigate its risks.
What is CVE-2024-6387?
This CVE is a regression of an earlier vulnerability (CVE-2006-5051) that was accidentally reintroduced into the code base. The new vulnerability, CVE-2024-6387, is a signal handler race condition found in OpenSSH’s server (sshd) that occurs when a client fails to authenticate within the LoginGraceTime period. This results in sshd’s SIGALRM handler being called asynchronously, invoking functions that are not safe for asynchronous execution. This can lead to heap corruption which allows for arbitrary code execution with sshd’s root privileges.
Vulnerability Impact
Successful exploitation for CVE-2024-6387 allows an unauthenticated attacker to execute arbitrary code with root privileges, potentially compromising the entire system. CVE-2024-6387 has been assigned an 8.1 CVSS base score and affects a wide range of Linux systems with Censys and Shodan identifying over 14 million potentially vulnerable OpenSSH server instances exposed to the Internet.
While there is a large scope of systems susceptible to this vulnerability, widespread exploitation is unlikely as attackers need to know the target Linux distribution in advance and the exploitation process also requires several hours of login attempts (similar to a password brute-force attack). While there are no reports of the regreSSHion vulnerability (CVE-2024-6387) being exploited in the wild as of July 1st, 2024, according to Wiz.io, attackers could potentially target machines over multiple weeks while switching IP addresses between attempts, making it harder for organizations to detect sophisticated threat actors.
Mitigation Strategies
To protect your systems from CVE-2024-6387, consider implementing any of the following mitigation strategies:
- Apply Patches: The most effective way to mitigate this vulnerability is to update OpenSSH to the latest version that includes patches for CVE-2024-6387. The revision and or package level will depend on your operating system. Vulnerable Versions:
- Open SSH version earlier than 4.4p1, unless they are patched for CVE-2006-5051 and CVE-2008-4109
- OpenSSH versions 8.5p1 up to but not including 9.8p1
*Note that OpenBSD systems are not affected. If on Ubuntu, pay attention to the Debian revision and Ubuntu-specific revision at the end of the package name as that will have the patch version for your OS.
### Check your OS Version
sudo uname -a
### Verify the current version of OpenSSH installed on your system:
sudo ssh -V
### Check if a patched version is available in your distribution's repository:
sudo apt list -a openssh-server
### Upgrade using the package manager:
sudo apt update
### You can specifically update OpenSSH with
sudo apt install openssh-server
### OR you can update all packages on your system including OpenSSH
sudo apt upgrade
### Restart the SSH daemon to apply the upgrade:
sudo systemctl restart sshd.service
### Check the version again to ensure
sudo ssh -V
- Adjust LoginGraceTime: Temporarily, you can reduce the LoginGraceTime setting in your SSH configuration to minimize the window of opportunity for an attack. However, this is not a long-term solution and should be used with caution.
### As the root user, open the /etc/ssh/sshd_config file using a text editor.
sudo vim /etc/ssh/sshd_config
### Modify the LoginGraceTime Parameter and set it to 0.
### If the parameter does not exist, add it to the file with the same setting.
LoginGraceTime 0
### After making the changes, save the file and exit the text editor.
### Apply the changes by restarting the SSH daemon:
sudo systemctl restart sshd.service
### Ensure that the configuration has been applied correctly:
sshd -T | grep logingracetime
- Limit SSH Access: Use network-based controls to limit SSH access to trusted IP addresses only. Implementing firewalls and access control lists (ACLs) can help reduce the attack surface.
- Fail2Ban
- Automatically create rules to alter local firewall configuration to ban specific IPs after a certain number of unsuccessful login attempts. Digital Ocean has a great write up enabling this for Ubuntu specifically for SSH.
- SSHGuard
- Protects hosts from brute-force attacks against SSH and other services. It aggregates system logs and blocks repeat offenders using one of several firewall backends.
- UFW
- Known as the Uncomplicated Firewall, this tool runs on top of iptables, included by default within Ubuntu distributions. This can be used to restrict incoming SSH connections to specific IP Address or Subnets.
- Fail2Ban
- Monitor and Audit: Regularly monitor and audit SSH access logs for unusual activity. Implementing an intrusion detection system (IDS) can help identify and respond to potential exploitation attempts.
Conclusion
CVE-2024-6387, or regreSSHion, is a stark reminder of the importance of continuous vigilance in cybersecurity. By understanding the nature of this vulnerability and implementing any of the recommended mitigation strategies, you can significantly reduce the risk of exploitation and protect your systems from potential attacks.
