// Overview
On June 7th, 2024, Qualys Threat Researcher Unit [1] discovered a Remote Unauthenticated Code Execution (RCE) vulnerability in OpenSSH’s server (sshd) in glibc-based Linux systems. This vulnerability, being a single handler race condition in OpenSSH’s server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems and affects sshd in its default configuration. The vulnerability is tracked as CVE-2024-6387 and carries a CVSSv3 score of 8.1.
Out of the 14 million potentially vulnerable sshd instances that show up on Censys and Shodan scans, it is believed that around 700,000 of these internet-facing instances could feasibly be hit by this vulnerability [1]. However, it’s important to note that as of July 1st, 2024, no confirmed reports of exploitation have been reported.
This vulnerability has been named ‘regreSSHion’ as it has been identified as a regression of the previously patched vulnerability tracker as CVE-2006-5051, reported in 2006. The term regression means that a flaw, once fixed, has reappeared in a later software release, typically due to changes or updates that inadvertently reintroduce the issue.
// What you should do
Customers using affected versions of OpenSSH are recommended to apply the following mitigations at the earliest possible convenience:
- Patch Management: Quickly apply available patches for OpenSSH and prioritise ongoing update processes.
- Enhanced Access Control: Limit SSH access through network-based controls to minimise the attack risks.
- Network Segmentation and Intrusion Detection: Divide networks to restrict unauthorised access and lateral movements within critical environments and deploy systems to monitor and alert on unusual activities indicative of exploitation attempts. Per public reporting, an attacker may be able to create a race condition at approximately 10k connection attempts, so monitoring for volumetric spikes in attempts is also recommended [3].
// What AMARU MDR is doing
AMARU MDR will continue to actively monitor this situation for any updates related to this vulnerability and adapt our response efforts as necessary. AMARU MDR will also look to create detection content specific to the indicators associated with exploitation of this vulnerability as information and data becomes available.
// References
[2] https://www.cve.org/CVERecord?id=CVE-2024-6387
[3] https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt#