OpenSSH server is at the moment uncovered to a harmful vulnerability that, if exploited, may grant cybercriminals full system entry with out person interplay. This publish offers an outline of CVE-2024-6387 and suggests remediation responses to mitigate its influence.
What’s CVE-2024-6387?
CVE-2024-6387 is a vulnerability in OpenSSH servers (sshd) in 32-bit Linux/glibc techniques. If exploited, the vulnerability facilitates Distant Code Execution with full root privileges, classifying it as a high-severity publicity (CVSS 8.1).
CVE-2024-6387 (found on 1 July 2024) is not a wholly new publicity. It is a regression from a beforehand patched vulnerability CVE-2006-5051, first found in 2006 (therefore the codename regreSSHion).
On the coronary heart of this challenge is a signal-handler race situation vulnerability inside the sshd strategy of OpenSSH servers, which facilitates code execution on impacted techniques with the very best degree of system privileges, root privileges.
A race situation is triggered when system operations happen out of order, disrupting a system’s ultimate finish state.
On this occasion, the race situation is triggered as a result of the sshd course of on glibc-based Linux techniques makes use of syslog() to asynchronously name features like malloc() and free(), that are used to handle reminiscence allocation.Â
“Malloc() is not safe to call asynchronously (eg. from signal handlers). Doing so results in a race-condition vulnerability making the malloc operation susceptible to interruption using SIGALRM, leaving the heap in an inconsistent exploitable stateÂ
Root privilege access is possible because sshd’s privileged code, by design, runs with full privileges by default instead of being sandboxed. This design decision increases the OpenSSH server process’s vulnerability to cyberattacks.
Exploitation of CVE-2024-6387 requires a cyber attack design of reasonable complexity, requiring hackers to force a high volume of race conditions for an unknown period of time to achieve RCE, which explains the current lack of PoC code for this vulnerability in the wild. That being said, exploitation is still a possibility, and all impacted SSH servers must be updated immediately.
Which OpenSSH versions are impacted?
OpenBSD-based servers are not impacted by the OpenSSH regreSSHion vulnerability.
Responding to CVE-2024-6387
The immediate course of action is to update impacted SSH servers to the latest version, 9.8p1 (see OpenSSH release notes).
To circumvent any version update delays, admins can force an immediate update by temporarily setting the login timeout to zero (LoginGraceTime=0 in sshd_config). Just keep in mind that this configuration could make SSH servers more vulnerable to DDoS attacks, so it should only be used as a temporary workaround if the risk is deemed acceptable.Â
Additional risk mitigation steps include:
Segregating internal networks to disrupt unauthorized access attempts to sensitive regions.Implement triggers and monitoring solutions for suspicious internal activities.Configuring your firewall to limit SSH access to certain IP addresses.How to detect CVE-2024-6387
With UpGuard BreachSight, you can identify whether your internal IT infrastructure is impacted by searching for CVE-2024-6387 in the detected vulnerabilities feed.
CVE-2024-6387 detection within the vulnerabilities module in UpGuard BreachSight.
To determine which of your third-party vendors are impacted by CVE-2024-638, search for it in the Portfolio Risk Profile within UpGuard Vendor Risk.
Third-party vendors impacted by CVE-2024-21410 are automatically flagged in UpGuard Vendor Risk
Each detected instance of exposure to the OpenSSH regreSSHion can then instantly be progressed through remediation and risk management workflows natively integrated into UpGuard to form an all-in-one Vendor Risk Management solution
Ready to save time and streamline your trust management process?
