Skip to main content

CVE-2024-6387: Remote Unauthenticated Code Execution (RCE) vulnerability in OpenSSH’s server (sshd) in glibc-based Linux systems

dips
Forum|alt.badge.img+7
  • dips
  • Veeam Legend
  • 808 comments

Hi All, 

Apologies for the quietness in here recently. I have been on some travels. 

Anyway, there is a new Vulnerability dubbed ‘RegreSSHion’ which has a CVSS Score of 8.1

The vulnerability, which is a signal handler race condition in OpenSSH’s server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems; that presents a significant security risk. This race condition affects sshd in its default configuration.

Link:

Still trying to get my head around this one but my understanding is that it is a RCE leading to root privileges, which needless to say, is quite bad.

The vulnerability, which is a signal handler race condition in OpenSSH's server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems

 

Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2025 | Cyber Security Space VUG Leader

3 comments

Stabz
Forum|alt.badge.img+8
  • Stabz
  • On the path to Greatness
  • 353 comments
  • July 2, 2024

Thanks for the share @dips . 

It specifies that versions 8.5p1 to 9.7p1 are confirmed to be vulnerable on 32-bit Linux systems with glibc and ASLR enabled. However, it is noted that exploitation requires between six and eight hours of continuous connections. Additionally, it is speculated that these attacks could be optimized to be faster, especially when ASLR is disabled.

The publisher adds that exploitation on 64-bit systems or systems without glibc seems possible but has not been demonstrated. This vulnerability was discovered by Qualys researchers. They also advise checking for the presence of numerous ‘Timeout before authentication’ lines in logs to detect potential exploitation attempts.

As of July 1, 2024, some Linux distributions have provided patches for vulnerable versions (see the Documentation section). While waiting for patches to become available, Qualys recommends modifying the LoginGraceTime value to 0 in the configuration file. This workaround prevents remote arbitrary code execution but makes the machine vulnerable to remote denial-of-service attacks.

Affected systems:

  • OpenSSH versions 8.5p1 to 9.7p1 prior to 9.8 and 9.8p1
  • OpenSSH versions 4.4p1

Solution: OpenSSH versions 9.8 and 9.8p1

Philippe DUPUIS |Veeam Certified Engineer | https://original-network.com/
Chris.Childerhose
coolsport00
Dynamic
3 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • coolsport00
    coolsport00
  • Dynamic
    Dynamic
coolsport00
Forum|alt.badge.img+20
  • coolsport00
  • Veeam Legend
  • 4133 comments
  • July 2, 2024

Thanks for sharing @dips  ...saw this yesterday.

So, it appears 64-bit mostly unaffected (by no known attacks against to this point)?

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
dips
Dynamic
2 people like this
  • dips
    dips
  • Dynamic
    Dynamic
dips
Forum|alt.badge.img+7
  • dips
  • Author
  • Veeam Legend
  • 808 comments
  • July 22, 2024
coolsport00 wrote:

Thanks for sharing @dips  ...saw this yesterday.

So, it appears 64-bit mostly unaffected (by no known attacks against to this point)?

Welcome! :)

That’s right. Nothing so far from what I have heard on the grapevine. It’s quite noisy so probably why there is not much interest from the bad guys, yet!

Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2025 | Cyber Security Space VUG Leader
Dynamic
1 person likes this
  • Dynamic
    Dynamic

Comment


Terms & Conditions