By security practitioners, for security practitioners novacoast federal | Pillr | novacoast | about innovate
By security practitioners, for security practitioners

Update To OpenSSH Fixes Reintroduced Remote Code Execution Vulnerability

Administrators of Linux-based systems should update to OpenSSH immediately to patch a flaw (CVE-2024-6387) that can expose servers to unauthenticated remote code execution.


    • An estimated 700,000 OpenSSH servers are at risk from a remote code execution vulnerability, CVE-2024-6387
    • A signal handler race condition in OpenSSH server allows unauthenticated remote code execution as root on glibc-based Linux systems.
    • If exploited, could lead to full system compromise, complete system takeover, installation of malware, data manipulation and the creation of backdoors for persistent access

    A critical security flaw in OpenSSH that could result in unauthenticated remote code execution with root privileges in glibc-based Linux systems has been patched by the project’s maintainers. 

    The bug was apparently reintroduced by an upstream commit that reverted a prior fix for the same issue, previously patched as CVE-2006-5051.

    Assigned CVE-2024-6387 and dubbed “RegreSSHion,” the bug is a signal handler race condition in OpenSSH’s server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems.

    The Vulnerability and Exploit

    How can RegreSSHion be abused? During SSH authentication, the process is time-limited to a default 120 seconds. If authentication doesn’t complete, the sshd server asynchronously calls the “sigalarm” function, which invokes system-level memory management functions.

    The vulnerable version handles this unsafely for asynchronous execution. Under certain rare conditions, this can trigger a race condition, leading to memory boundary violations and arbitrary code execution.

    To exploit, an attacker would need to make approximately 10,000 auth attempts on a glibc-based Linux platform (this includes the popular Ubuntu.) It’s a particularly sophisticated attack, as memory structures tailored to the specific version of glibc and Linux would need to be pre-staged.

    An attack is easier to stage on a 32-bit Linux system but it could theoretically affect 64-bit as well, despute additional protections to memory.

    How Bad Is This Vulnerability?

    While the consequences of exploitation are severe from this kind of vulnerability, the attack itself is somewhat advanced and unlikely to be abused at scale. 

    What makes this vulnerability serious is the ubiquity of OpenSSH—it is quite nearly on every single Linux server by default, conjuring painful memories of Log4Shell

    What To Do?

    Update OpenSSH/OpenSSL to the newly patched version 9.8. Many Linux distros have already made these packages available. 

    It’s also considered best practice to not expose SSH to the open Internet. Protect with network-based access controls and/or utilize an alternate non-default port number. 

    Affected Versions

    Versions between 8.5p1 and 9.7p1 are affected.

    Versions prior 4.4p1 are also vulnerable to the race condition bug unless they are patched for CVE-2006-5051 and CVE-2008-4109. 


    1. Qualys article
    2. Hacker News
    3. OpenSSH 9.8 Release Notes

    Previous Post

    Weekly Top 10 — 6.24.2024 — RCE Vulnerability Discovered in Mailcow, Fake Virtual Meeting Software Spreads Infostealers, Critical Vulnerability in VMware vCenter Patched, and More.

    Next Post

    Weekly Top 10 — 7.2.2024 — Windows XSS Phishing Attacks, SneakyChef APT, Redis Servers Under Attack, and More.

    Innovate uses cookies to give you the best online experience. If you continue to use this site, you agree to the use of cookies. Please see our privacy policy for details.