What is the OpenSSH regreSSHion vulnerability (CVE-2024-6387)?

TLDR

• This vulnerability (CVE-2024-6387) affects OpenSSH and could allow an attacker to execute commands on an affected device. The vulnerability is highly complex and has limitations which is likely to prevent widespread exploitation.
• Identify all instances of OpenSSH and patch affected systems according to your usual schedule for 'High' impact weaknesses

What is the OpenSSH regreSSHion vulnerability CVE-2024-6387 (aka CVE-2006-5051)?

On the 1st of July, Qualys released research regarding a vulnerability within OpenSSH. This vulnerability could in limited circumstances allow an attacker to execute arbitrary commands on the affected system by exploiting a race condition within OpenSSH.

However, this is not a new vulnerability, but a regression of a previous security issue from 2006 reported by Mark Dowd. This regression was introduced in October 2020 whereby the maintainers mistakenly removed protections that were put in place to defend against CVE-2006-5051.

OpenSSH is a sensitive service which is also fairly ubiquitous. And since its purpose is to provide remote access and it’s often exposed to the internet, it’s fair to say that a high impact, exploitable OpenSSH weakness could cause significant and widespread chaos. However, we believe that this weakness will not be widely exploited due to the complexity of the exploit and several hurdles identified in the excellent research by Qualys.

The limitations and hurdles identified within the research include:

• The exploit has only been proven on 3 specific 32-bit Linux distributions, and exploitation takes on average from 6 hours to 7 days to complete. No 64-bit machine has been exploited at present.
• The exploit relies on being able to send on average 10,000 requests to the victim machine. This means that Fail2Ban or other similar protection software will stop exploitation of this vulnerability.
• The exploit was proven with a stable network connection with limited network jitter (~10ms). Greater variance in the jitter (such as exploitation over the internet) would negatively impact the performance of the exploit.
• No full proof of concept has been released by Qualys.

What versions of OpenSSH are affected?

• 8.5p1 to 9.8p1
• 4.4p1 and before

What do I need to do about CVE-2024-6387 and how can Intruder help?

Identify all affected devices running vulnerable OpenSSH versions - Intruder's Attack Surface View can help with this. To do this, navigate to Attack Surface View and search for “OpenSSH” as shown below:

Apply the latest patches that are available.

If you are unable to patch this vulnerability, you can set LoginGraceTime to 0. This will protect against the code execution portion of the attack, however it will not protect against a denial of service condition. In addition, we would recommend that any SSH service is not facing the internet, and if it does, that a service such as Fail2Ban should be in place. An example of how to set this up is available on Digital Ocean.

Intruder's platform already has checks to cover this vulnerability, any scan that is run by our Pro customers and above will be checked for this.

Please note that remote fingerprinting of an OpenSSH version is only possible if the service is configured to expose its banner. More often than not, the banner is hidden and not remotely detectable, so using internal agent-based scanning is advised for a holistic view of where vulnerabilities lie.

Additional reading and research

• ‍Research by Qualys and accompanying blog post
• ‍OpenSSH commit for the fix

Changelog

2nd July 2024 - Initial Post