Qualys researchers discovered a high-severity signal handler race condition vulnerability (CVE-2024-6387) in OpenSSH's server software and disclosed it on July 1, 2024. Dubbed "regreSSHion," it affects glibc-based Linux systems running vulnerable OpenSSH versions, potentially allowing remote unauthenticated code execution with root privileges. This vulnerability is a resurgence of an older flaw (CVE-2006-5051) due to an unintentional re-introduction during patching processes.
Potential Impact
CVE-2024-6387 presents a high-severity threat, especially for internet-facing SSH, due to its potential for full system compromise, allowing unauthenticated attackers to execute arbitrary code and gain root access.
Per Qualys Threat Research Unit, “RegreSSHion” has the potential to affect over 14 million server instances exposed to the Internet. The vulnerability could lead to data breaches, malware installation, and persistent backdoors, making it a critical concern for affected systems.
Affected OpenSSH versions
- OpenSSH versions 8.5p1 (released March 2021) to 9.7p1
- OpenSSH versions earlier than 4.4p1 (unless patched for CVE-2006-5051 and CVE-2008-4109)
While no active exploits have been reported in the wild, the disclosure of a proof-of-concept increases the likelihood of future attacks, making prompt mitigation crucial.
Recommended Remediation Steps
- Identify all instances of CVE-2024-6387.
- Upgrade to the latest OpenSSH version 9.8, focusing on publicly exposed hosts first.
- Review and restrict SSH access in your firewall configuration.
- Implement network segmentation to isolate critical systems.
- Deploy and configure intrusion detection/prevention systems.
- Set LoginGraceTime 0 in sshd_config if immediate patching is not feasible.
Identifying Vulnerable Assets With Axonius
The Axonius Platform helps organizations identify, prioritize, and remediate vulnerabilities across their entire digital infrastructure, providing context that helps security and IT teams prioritize vulnerability based on asset criticality. This allows organizations to expedite patching and remediation processes.
To identify instances of CVE-2024-6387, Axonius customers can start with the platform's Assets module.
The Assets module helps discover the impacted assets before the dedicated Vulnerability Assessment solution can detect the vulnerability. By using a device query customers can identify the affected devices in the following ways:
1. Search for devices that have OpenSSH versions affected by CVE-2024-6387.
AQL:
("specific_data.data.installed_software.name_version" == regex("^openssh(?!.*\bclients?\b).*\-.*(8\.5p1|8\.[6-9](p1)?|9\.3p2|9\.[0-7](p1)?|9\.8(?!p1))", "i")) or (("specific_data.data.installed_software.name_version" == regex("^openssh(?!.*\bclients?\b).*\-.*(4\.[0-4](p[1-4])?|3\.[0-9]\.?[0-9]?(p[1-4])?|2\.[0-9]\.?[0-9]?(p[1-4])?|1\.[0-9]\.?[0-9]?(p[1-4])?)", "i")) and (("specific_data.data.software_cves.cve_id" == "CVE-2006-5051") or ("specific_data.data.software_cves.cve_id" == "CVE-2008-4109"))) or ("specific_data.data.software_cves.cve_id" == "CVE-2024-6387")
2. Track all devices with firewall rules allowing public IPs access, and affected by the OpenSSH vulnerability CVE-2024-6387. These devices should get priority when applying patches as they are more prone to be exploited.
AQL:
(("specific_data.data.installed_software.name_version" == regex("^openssh(?!.*\bclients?\b).*\-.*(8\.5p1|8\.[6-9](p1)?|9\.3p2|9\.[0-7](p1)?)", "i")) or (("specific_data.data.installed_software.name_version" == regex("^openssh(?!.*\bclients?\b).*\-.*(8\.5p1|8\.[6-9](p1)?|9\.3p2|9\.[0-7](p1)?|9\.8(?!p1))", "i")) and (("specific_data.data.software_cves.cve_id" == "CVE-2006-5051") or ("specific_data.data.software_cves.cve_id" == "CVE-2008-4109"))) or ("specific_data.data.software_cves.cve_id" == "CVE-2024-6387")) and ((("specific_data.data.network_interfaces.ips_raw" == match({"$gte": 0, "$lte": 0}) or "specific_data.data.network_interfaces.ips_raw" == match({"$gte": 16777215, "$lte": 167772160}) or "specific_data.data.network_interfaces.ips_raw" == match({"$gte": 184549375, "$lte": 1681915904}) or "specific_data.data.network_interfaces.ips_raw" == match({"$gte": 1686110207, "$lte": 2130706432}) or "specific_data.data.network_interfaces.ips_raw" == match({"$gte": 2147483647, "$lte": 2851995648}) or "specific_data.data.network_interfaces.ips_raw" == match({"$gte": 2852061183, "$lte": 2886729728}) or "specific_data.data.network_interfaces.ips_raw" == match({"$gte": 2887778303, "$lte": 3221225472}) or "specific_data.data.network_interfaces.ips_raw" == match({"$gte": 3221225727, "$lte": 3221225984}) or "specific_data.data.network_interfaces.ips_raw" == match({"$gte": 3221226239, "$lte": 3227017984}) or "specific_data.data.network_interfaces.ips_raw" == match({"$gte": 3227018239, "$lte": 3232235520}) or "specific_data.data.network_interfaces.ips_raw" == match({"$gte": 3232301055, "$lte": 3323068416}) or "specific_data.data.network_interfaces.ips_raw" == match({"$gte": 3323199487, "$lte": 3325256704}) or "specific_data.data.network_interfaces.ips_raw" == match({"$gte": 3325256959, "$lte": 3405803776}) or "specific_data.data.network_interfaces.ips_raw" == match({"$gte": 3405804031, "$lte": 3758096384}) or "specific_data.data.network_interfaces.ips_raw" == match({"$gte": 4026531839, "$lte": 4026531840}) or "specific_data.data.network_interfaces.ips_raw" == match({"$gte": 4294967295, "$lte": 4294967295}) or "specific_data.data.network_interfaces.ips_raw" == match({"$gte": 4294967295, "$lte": 4294967295})))) and (("specific_data.data.firewall_rules" == match([("direction" in ["ANY","INGRESS"]) and ("type" == "Allow")])))
3. Search for devices discovered during the vulnerability assessment.
AQL:
("specific_data.data.software_cves" == match([("cve_id" == "CVE-2024-6387")]))
Researching CVE-2024-6387 With the Axonius Vulnerability Management Module
The Axonius Vulnerability Management module addresses vulnerability management issues head-on. It delivers automated visibility into cybersecurity vulnerabilities, and offers a holistic view of threats, allowing IT and security teams to identify vulnerabilities across entire fleets of devices, and prioritize and remediate vulnerabilities based on their urgency and importance.
The Vulnerability Repository page within the module provides an overview of all known vulnerabilities even those not detected in the environment, helping track and assign a vulnerability before it is detected and create automated tracking or remediation steps once vulnerability status changes to detected.
Axonius customers can use the Vulnerability Management module to identify instances of CVE-2024-6387 in the following ways:
1. Search for active vulnerabilities with Vuln ID CVE-2024-6387.
AQL:
{"vulnerabilities":"(\"specific_data.data.cve_id\" == \"CVE-2024-6387\")","devices":""}
2. Use the Vulnerability Repository page to find CVE-2024-3400.
AQL:
{"vulnerabilities":"("specific_data.data.cve_id" == "CVE-2024-6387")
Automating Alerts
Axonius Findings supports all query and entity types — assets and system events. The Rules Manager allows customers to alert teammates, executives, other business units and collaborators, and more based on single query criteria thresholds, query comparisons, or timeline comparisons.
Axonius customers can set up alerts and leverage the Axonius Platform to help their remediation teams stay informed whenever new instances of affected assets are identified. They can also get notified via communication channels of their choice (e.g. email, Slack, etc.).
For more documentation on using Axonius to find systems impacted by CVEs, visit docs.axonius.com.