Vulnerability Alert: CVE-2024-6387, dubbed regreSSHion, has been discovered in OpenSSH.

A critical security vulnerability has been discovered in OpenSSH. The flaw, has been assigned CVE-2024-6387 and dubbed "regreSSHion."

This vulnerability could allow unauthenticated remote attackers to execute arbitrary code with root privileges on vulnerable Linux systems with default configurations. It is estimated that there are 14 million vulnerable internet-exposed servers.

The root cause for this vulnerability is a complex race condition in sshd.
‍

Key details about regreSSHion vulnerability

• The vulnerability impacts OpenSSH server versions ranging from 8.5p1 up to, but not including, 9.7p1 on glibc-based systems. Additionally, versions earlier than 4.4p1 are also affected, unless they have been patched for related vulnerabilities.
• No indications of exploitations in the wild 
• Exploitations can take between 6-8 hour on 32-bit. In 64-bit systems, it is estimated to take much more.
  ‍

RegreSSHion vulnerability background

The vulnerability is a regression of a previously patched 18-year-old flaw (CVE-2006-5051) that was accidentally reintroduced in OpenSSH 8.5p1 in October 2020.

The vulnerability is a signal handler race condition that occurs in the server component (sshd). Specifically, the flaw arises when the SIGALRM handler is triggered due to an authentication timeout (controlled by the LoginGraceTime setting). The handler calls functions that are not async-signal-safe, such as “syslog()”, which can lead to an inconsistent state of the heap.

Researchers have demonstrated successful exploitation on 32-bit Linux/glibc systems with ASLR enabled, typically requiring 6-8 hours of continuous connection attempts. In 64-bit systems, it is estimated to take much more.

The attack leverages the fact that certain memory allocations and deallocations occur during the signal handler execution, allowing an attacker to corrupt heap structures and ultimately gain control of the execution flow. While the vulnerability is present in the default configuration of affected OpenSSH versions, its exploitation is challenging due to the precise timing required and the need to overcome various security mitigations present in modern systems.
‍

Remediation action for CVE-2024-6387 vulnerability:

• Updating OpenSSH version to a patched version
• Limiting SSH access through network controls
• Setting LoginGraceTime to 0 in sshd_config (as a temporary workaround)
  ‍

Am I affected by CVE-2024-6387?

Due to the complex requirements of this vulnerability and the complexity of the exploitation, it is complex to detect accurately if you’re vulnerable and where. 

Inspecting this vulnerability using the Kodem runtime security platform will help you understand which applications in your environment are vulnerable and prioritize specific images and repos over others.

Kodem detects whether the vulnerable code is active at runtime. If the code is not active, it means that the vulnerability wasn’t exploited and it is possibly not reachable due to endpoint, network configurations, etc.
‍

‍

How Kodem protects applications against the regreSSHion vulnerability

Kodem's Runtime-Powered SAST scans your source code from the running application and pinpoints exactly where vulnerabilities exist in your code repositories, providing developers with comprehensive information to efficiently fix security issues at their source.

‍

We can help protect you against regreSSHion (CVE-2024-6387)

Kodem's runtime security platform stands out in the competitive field of application security due to its emphasis on runtime intelligence, attack chain analysis, and simplification of remediation. We can scan your environment today to discover if you’re really affected by the “regreSSHion” vulnerability. 

Contact us with any questions and we’ll be in touch immediately!

‍

References‍

https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt‍
https://github.com/acrono/cve-2024-6387-poc

‍