What you should be aware of concerning regreSSHion: a vulnerability in OpenSSH server that allows remote code execution (CVE-2024-6387)

Important Considerations Regarding Regression: an OpenSSH Server Vulnerability Allowing Remote Code Execution (CVE-2024-6387)

As of the 1st of July 2024, a solution was provided to address the critical CVE-2024-6387 vulnerability, known as regression, under the coordinated release date (CRD). Discovered and reported by Qualys, this unauthenticated, network-exploitable flaw involves the potential for remote code execution on the OpenSSH server daemon (sshd) from version 8.5p1 to 9.8p1. Specifically impacting Ubuntu releases such as 22.04 LTS, 23.10, and 24.04 LTS, patched packages were promptly issued to users on the CRD. It’s crucial to update if your system runs an affected version. Older releases maintained for security, including those under ESM or Legacy Support like 14.04 LTS, 16.04 LTS, 18.04 LTS, and 20.04 LTS, remain unaffected due to the utilization of prior software versions not containing the vulnerable code.

Details on CVE-2024-6387

The vulnerability arises from the use of an async-signal-unsafe function triggered by a signal handler, particularly when the LoginGraceTime signal expires. Through exploiting a race condition made more challenging by Address Space Layout Randomization (ASLR), malevolent entities can execute unauthorized code as root. This incident strikingly resembles a resurgence of a former vulnerability, CVE-2006-5051, patched in OpenSSH 4.4p1 nearly two decades ago. Despite this setback, the Qualys report commends the defense-in-depth structure, strong track record, and overall security stance of the OpenSSH project, highlighting that software security concerns are inherent and must be addressed with a robust vulnerability management approach.

Targeted Entities

Any attacker with network entry to a susceptible sshd service can potentially exploit this race condition without the need for login credentials, hence the severity associated. Any SSH service exposed online becomes a prime target for such exploitation. Although Qualys’ researchers displayed a proof-of-concept on the i386 architecture, deployments on amd64 (x86-64) are also vulnerable – although believed to be more challenging due to improved ASLR implementation inherent to this architecture. While this underscores the benefits of a multi-layered cybersecurity approach, with network access control utilized to restrict sensitive service access, the primary recommendation remains to upgrade promptly to the patched versions.

Remediation Steps for CVE-2024-6387

Simply updating the openssh-server package suffices, as this action automatically restarts the daemon process. For Ubuntu Pro users, the execution of the pro fix command is an additional option:

sudo apt update && sudo apt install openssh-server

It’s worth noting that starting from Ubuntu 16.04 LTS onwards, the unattended-upgrades service is enabled, automatically checking for and implementing unapplied security updates every 24 hours. Consequently, this update was effectively deployed within a day of the CRD.

Temporary Solutions

Since the problematic code is solely reached upon the firing of the LoginGraceTime timer signal, this vulnerability can be eliminated by setting this configuration parameter to 0 (indefinite). However, this leaves sshd exposed to potential denial-of-service attacks through all MaxStartups connections being exhausted. Hence, the recommendation is to proceed with the upgrade to the patched version. However, if you prefer to implement this temporary solution, following these commands is advisable:

echo "LoginGraceTime 0" | sudo tee /etc/ssh/sshd_config.d/cve-2024-6387.conf
sudo systemctl reload ssh.service

Useful References

For additional insights, please refer to the following sources:

🤞 Don’t miss these tips!

Share it

🤞 Don’t miss these tips!

Solverwp- WordPress Theme and Plugin