Full Report
Detect and mitigate CVE-2024-6387, a remote code execution vulnerability in OpenSSH. Organizations are advised to patch urgently.
Analysis Summary
# Vulnerability: OpenSSH Server (sshd) RCE via Signal Handler Race Condition (regreSSHion)
## CVE Details
- CVE ID: CVE-2024-6387
- CVSS Score: (Score not explicitly provided, derived severity based on RCE) - High severity expected for unauthenticated RCE as root.
- CWE: (Not explicitly provided, relates to signal handling/concurrency issues)
## Affected Systems
- Products: OpenSSH server (sshd)
- Versions:
- OpenSSH versions earlier than `4.4p1`
- OpenSSH versions between `8.5p1` and `9.8p1` (excluding 9.8p1)
- Configurations: Exploitable on glibc-based Linux distributions, particularly on 32-bit systems under specific conditions involving `LoginGraceTime` expiration.
## Vulnerability Description
CVE-2024-6387 is a signal handler race condition vulnerability affecting OpenSSH server (sshd) default configuration. When an unauthenticated client connection times out after the `LoginGraceTime` (default 120 seconds), the asynchronous SIGALRM handler is invoked. Certain functions called by this handler, such as `syslog()`, are not async-signal-safe. On glibc-based Linux systems, `syslog()` can invoke heap functions like `malloc()` and `free()`. If the execution of `syslog()` is interrupted by code that also calls a heap function, it can lead to heap corruption. This corruption can be subsequently chained to achieve arbitrary code execution with the privileges of the `sshd` process (root). The vulnerability is characterized as a regression of an earlier flaw (CVE-2006-5051).
## Exploitation
- Status: PoC available. Not exploited in the wild as of July 1st, 2024.
- Complexity: Medium to High. Successful exploitation is distribution-specific, relying on conditions like ASLR and glibc version-specific struct layouts, requiring reconnaissance of the target environment. Requires several hours of total login attempts.
- Attack Vector: Network (Unauthenticated Remote)
## Impact
- Confidentiality: High (Ability to execute commands as root can lead to full system compromise)
- Integrity: High (Ability to execute commands as root can lead to system modification)
- Availability: High (Ability to execute commands as root can lead to service disruption or system destruction)
## Remediation
### Patches
- Users should upgrade to the fixed version relevant to their distribution or the latest OpenSSH version.
- Explicitly patched Ubuntu versions mentioned:
- 22.04 (Jammy): fixed version `1:8.9p1-3ubuntu0.10`
- 23.10 (Mantic): fixed version `1:9.3p1-1ubuntu3.6`
- 24.04 (Noble): fixed version `1:9.6p1-3ubuntu13.3`
### Workarounds
- Restrict direct public exposure of OpenSSH servers to the internet.
- Implement brute-force prevention/detection measures, as successful exploitation attempts resemble brute-force activity over extended periods.
## Detection
- Indicators of compromise: Attempts involving a large volume of unauthenticated login attempts against SSH might warrant investigation, especially if followed by unusual process behavior or resource consumption indicative of a heap exploitation payload delivery.
- Detection methods and tools: Utilize security platforms (like Wiz) with pre-built queries to identify installations of OpenSSH in the vulnerable version ranges, especially on public-facing infrastructure.
## References
- Qualys blog: hxxps://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server
- Qualys deep-dive: hxxps://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
- OpenSSH advisory: hxxps://www.openssh.com/txt/release-9.8