Elementrica
03Case Studies04References05Company06News07Contact
PLENDE

regreSSHion (CVE-2024-6387)

ElementricaElementrica6 min
regreSSHion (CVE-2024-6387)

regreSSHion (CVE-2024-6387) is a vulnerability in OpenSSH that allows unauthenticated remote code execution with root privileges. In plain terms, an attacker with no account at all can, in the worst case, take full control of the server. OpenSSH is one of the most widely used remote-access services on Linux servers, so the potential scope is enormous. Here is what the flaw is, who it affects, and what to actually do about it.

What regreSSHion is

On July 1, 2024, the Qualys Threat Research Unit disclosed a flaw in OpenSSH, tracked as CVE-2024-6387. It is a race condition in how the sshd server handles signals.

Here is the twist: this is an old bug come back. The same flaw existed years ago (CVE-2006-5051), got patched, and then a mistake during a later code change brought it back in versions released from October 2020 on. That is where the name regreSSHion comes from, a regression.

What it means for the business: an unauthenticated attacker on the network can, with enough effort, gain root on the server. That means access to your data, the ability to install malware, and a foothold to stay in the system.

Key terms in brief

  • OpenSSH. An open-source package for encrypted, remote access to servers. On Linux it is the standard way to log in and manage machines.
  • root. The most privileged user on a Linux system. Full, unrestricted access.
  • RCE (remote code execution). A critical class of flaw that lets an attacker run their own code on someone else's machine over the network.

How the flaw works

The bug is in signal handling. When a client fails to authenticate within the window set by LoginGraceTime (120 seconds by default), a signal handler fires asynchronously and calls operations that are unsafe in that context.

Exploiting it takes very precise timing, which makes the attack hard. In tests on a 32-bit system it took about 10,000 attempts on average to succeed. Work on an exploit for 64-bit systems was still in progress.

Who it affects, and who it does not

The vulnerability affects specific versions of OpenSSH on glibc-based Linux systems. It does not affect Windows.

  • OpenSSH below 4.4p1 is vulnerable,
  • 4.4p1 through 8.5p1 is not vulnerable,
  • 8.5p1 through 9.8p1 is vulnerable again.

One caveat: the version number is not the whole story. Distributions often ship patches without bumping the version number, so a version that looks vulnerable may already be fixed. Check the patch status with your system vendor. You can print your OpenSSH version with ssh -V.

What to actually do

Priority: update OpenSSH to the latest or a patched version. That is the most effective fix.

If you cannot update right away, a temporary workaround is to set LoginGraceTime to 0 in the sshd configuration. That neutralizes regreSSHion, but it exposes the server to a denial-of-service (DoS) attack, so treat it as a stopgap.

On top of that, general SSH hardening:

  • restrict SSH access with a firewall, to trusted IP addresses only,
  • isolate SSH servers in separate network segments,
  • disable root login over SSH and use keys instead of passwords,
  • monitor SSH logs for suspicious activity.

These steps raise your overall security, but they do not replace the update. Without the patch, the flaw stays open.

What this comes down to

  • regreSSHion is an RCE-class flaw in OpenSSH, dangerous because it grants root without authentication,
  • it affects select versions on Linux and does not affect Windows,
  • the attack is technically hard, but the potential impact is serious enough that you should not brush it off,
  • the core action is to update OpenSSH.

Not sure which of your servers are exposed and vulnerable? Book a free consultation. We will map your attack surface and show you where to start.

Not sure which servers are vulnerable?

Book a free consultation and we will map your attack surface and show you what to patch first.

Previous
NIS2 and penetration testing: what changes for your company
Next
A short introduction to ICS and OT security