July 10, 2024

OpenSSH RegreSSHion Vulnerability (CVE-2024-6387): Exploitation and Mitigation Measures

About the Vulnerability

On July 1, 2024, a significant security vulnerability was discovered in OpenSSH, specifically impacting glibc-based Linux systems. This flaw, identified as CVE-2024-6387, poses a critical risk as it allows for unauthenticated remote code execution (RCE) with root privileges. The vulnerability stems from a signal handler race condition within the OpenSSH server component (sshd), which is responsible for accepting connections from client applications.

In-depth security analysis has revealed that this flaw is essentially a regression of the previously patched CVE-2006-5051 vulnerability, which was addressed 18 years ago. Unfortunately, it was inadvertently reintroduced with the release of OpenSSH version 8.5p1 in October 2020. This recent discovery serves as a stark reminder of the critical importance of comprehensive regression testing to prevent the reoccurrence of previously resolved vulnerabilities.

Impact of CVE-2024-6387

CVE-2024-6387 carries significant implications with severe consequences. Once successfully exploited, it results in complete system compromise, granting attackers unrestricted access to execute any code with the highest level of privileges. This allows them to deploy malware, extract sensitive data, and establish persistent backdoors for future exploitation.

Researchers have observed that exploiting this vulnerability usually requires multiple attempts. In laboratory conditions, the attack took an average of 6-8 hours of continuous connection attempts on 32-bit systems with Address Space Layout Randomization (ASLR) enabled. This highlights the persistence and effort required by attackers to exploit the vulnerability successfully.

Recommended Actions

To address the critical nature of CVE-2024-6387, it is essential to take immediate action in order to mitigate the associated risks. Here are steps to secure your systems:

Apply Patches: Update OpenSSH to the latest version that includes the necessary patches to address CVE-2024-6387. 

Limit SSH Access: Implement network-based controls to restrict SSH access and enforce segmentation to reduce the potential attack surface.

Configure LoginGraceTime: As a temporary measure, set the LoginGraceTime parameter to 0 in the SSH server configuration. This setting reduces the time available for an attacker to exploit the vulnerability. However, it's important to note that this also exposes the system to denial of service attacks, as it may lead to the exhaustion of allowed connections. Therefore, it is advisable to use this approach in conjunction with other measures to limit SSH access.

Affected Versions:

  • OpenSSH earlier than 4.4p1
  • OpenSSH between 8.5p1 and 9.7p1

Fixed Versions:

  • 1:8.4p1-5+deb11u3
  • 1:9.2p1-2+deb12u3

Nexusguard and Customers unaffected by CVE-2024-6387

Through vigilant monitoring, we have determined that our products remain unaffected by CVE-2024-6387. Our advanced solutions incorporate robust network-based controls that effectively limit SSH access and enforce segmentation, significantly reducing the exposure to potential attack vectors.

With peace of mind as the cornerstone of our service, Nexusguard customers can rest assured that we conduct regular security assessments and rigorous testing, staying at the forefront of emerging threats and promptly addressing any vulnerabilities highlighted in security advisories.

Measures to Safeguard Your Organization

In the event that you suspect being affected by this vulnerability, it is crucial to seek specialized assistance promptly.

Nexusguard stands as a leading provider of robust distributed denial of service (DDoS) security solutions, committed to countering malicious Internet attacks. Our extensive range of services offers unmatched defense against a wide range of attacks spanning L3-L4 and L7 layers. With our comprehensive protection, including proactive measures against potential zero-day attacks, we ensure optimal efficiency and effectiveness in safeguarding your valuable digital assets.

For further details on Nexusguard’s suite of flexible anti-DDoS solutions, please click here or reach out to us via our emergency contact form.

Nexusguard provides comprehensive and reliable security solutions that instill complete confidence in the protection of your network and applications. Through our stringent security hardening measures and rigorous inspections, we effectively eliminate the risk of high-security vulnerabilities, ensuring your assets are safeguarded with the highest level of protection.

Get the latest cybersecurity news and expert insights direct to your inbox

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.