Cybersecurity blog header

CVE-2024-6387: RegreSSHion, a high vulnerability that affects OpenSSH

CVE-2024-6387 vulnerability affects OpenSSH over Linux Servers

Information has been disclosed about a new high vulnerability (CVE-2024-6387) that affects OpenSSH over Linux Servers. RegreSSHion allows an unauthenticated attacker to obtain remote code execution (RCE)

OpenSSH is the premier connectivity tool for remote login with the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, OpenSSH provides a large suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options.

Analyzing data from several sources such as Shodan or Censys it can be observed that there are more than 14M exposed OpenSSH instances that are potentially vulnerable to regreSSHion.

The vulnerability CVE-2024-6387, that affects default installation of OpenSSH, consists of exploiting a race condition in order to obtain Remote Code Execution. Even though a successful exploitation of regreSSHion has a critical impact (RCE as root user), this vulnerability severity is set as high due to the complexity of the attack as in order to achieve RCE it is necessary to perform a big number of tries during an uncertain but long time period.

RegreSSHion exploitation relies on the use of syslog by OpenSSH. Syslog uses different unsafe functions such as malloc or free. OpenBSD systems are not vulnerable as they rely on a safe version of syslog.

CVE-2024-6387 Key Features

The main characteristics of this vulnerability are detailed below:

  • CVE Identifier: CVE-2024-6387
  • Release Date: 01/07/2024
  • Affected Software: OpenSSH
  • CVSS Score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (8.1 High)
  • Affected Versions:
    • Earlier versions than 4.4p1 (except those versions patched for CVE-2006-5051 and CVE-2008-4109).
    • Since version 8.5p1 to 9.8p1 (not included).

CVE-2024-6387 mitigation

It is urgent to prioritize updating SSH servers to version 9.8p1, as this version is not affected by regreSSHion. Nevertheless, it is also possible to mitigate the risk by limiting SSH access to internal network. It is also advised to divide networks to restrict unauthorized access and to deploy systems to monitor and alert on unusual activities indicative of exploitation attempts.

Detection of the vulnerability

The following script can be used to identify the vulnerability:

As part of its emerging vulnerabilities service, Tarlogic proactively monitors the perimeter of its clients to report, detect, and urgently notify of the presence of this vulnerability, as well as other critical threats that could have a serious impact on the security of their assets.