Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
Researchers revealed a signal handler race condition RegreSSHion vulnerability that puts OpenSSH servers at risk. The flaw is tracked as CVE-2024-6387 and got a high severity CVSS – 8.1.
Hackers can exploit it to obtain unauthenticated remote code execution (RCE) with root privileges. According to security researchers, this is the first unauthenticated RCE flaw they’ve discovered in OpenSSH in nearly two decades.
Why call it RegreSSHion?
CVE-2024-6387 is a regression of CVE-2006-5051. That old vulnerability enabled hackers to launch a DoS attack and execute arbitrary code remotely in 2006.
CVE-2006-5051 got a patch at that moment, but now the issue resurfaced in a more recent OpenSSH release. This is why researchers call CVE-2024-6387 a “regreSSHion” flaw.
According to BleepingComputer, here’s how CVE-2024-6387 works:
If a client does not authenticate within LoginGraceTime seconds (120 by default), then sshd’s SIGALRM handler is called asynchronously and calls various functions that are not async-signal-safe.
Source – bleepingcomputer.com
Who’s vulnerable to CVE-2024-6387?
Allegedly, MacOS and Windows could also be vulnerable to the RegreSSHion flaw. However, researchers did not yet confirm exploitability on these systems.
CVE-2024-6387, in its current and previous form, affects the following instances:
- OpenSSH servers on Linux versions starting 8.5p1 up to but except 9.8p1
- Versions prior to 4.4p1 that were not patched for CVE-2006-5051 and CVE-2008-4109
The new RegreSSHion flaw does not impact Linux versions from 4.4p1 up to, but except, 8.5p1 if they got a patch for CVE-2006-5051.
Mitigation measures
For now, there is no proof that hackers are already exploiting the new RegreSSHion flaw. However, due to its high severity score, we recommend taking prevention measures.
- apply patches for the OpenSSH server (version 9.8p1) as soon as possible. To speed up the process, use an automated patch management solution, like Heimdal’s Patch and Asset Management tool.
- enforce network security measures, like firewalls and segmentation to prevent lateral movement
- set the ‘LoginGraceTime’ to 0 in the sshd configuration file if for some reason you have to postpone patching. Be aware that doing it can turn the server vulnerable to DoS attacks.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.
