The Qualys Threat Research Unit (TRU) has discovered a vulnerability in OpenSSH’s server (also known as sshd) on glibc-based Linux systems that allows unauthenticated remote code execution (RCE). The vulnerability has been assigned to CVE-2024-6387.
Unauthenticated remote code execution (RCE) on Linux systems
This vulnerability is based on CVE-2006-5051, an earlier vulnerability reported in 2006. It was patched, but reappeared in 2020.
Affected OpenSSH versions:
- OpenSSH versions prior to 4.4p1 are vulnerable to this signal handler race condition if they are not patched for CVE-2006-5051 and CVE-2008-4109.
- Versions from 4.4p1 to 8.5p1 are not vulnerable due to a transformative patch for CVE-2006-5051 that secured a previously insecure feature.
- The vulnerability reappears in versions from 8.5p1 up to and including 9.8p1 due to the accidental exclusion of a critical component in a function.
OpenBSD systems are not affected by this bug because OpenBSD developed a secure mechanism in 2001 to prevent this vulnerability.
Recommendation for protection against OpenSSH vulnerabilities
Exploitation of the vulnerability could lead to a complete compromise of the system. Attackers could execute arbitrary code with the highest privileges, spread through the network and steal data. Obtaining the highest privileges could allow attackers to bypass critical security mechanisms.
From the FAQ: Users have two update options: upgrade to the latest version released on Monday 1 July (9.8p1), or apply a fix to older versions as described in the advisory. Most vendors will take the second approach.
What should you do now?
InfoGuard strongly recommends that you check the version of the SSH server(s) you are running and upgrade as soon as possible. If an upgrade is not possible, check the mitigations described below. No public exploit code is currently available, but this could change in the next few days.
- Apply patch
- Restrict SSH access from outside
- Network segmentation, intrusion detection
- Fail2ban as a quick workaround
- Set the LoginGraceTime to 0 in the SSH configuration. While this configuration enables a denial of service attack, remote code execution is no longer possible
Our recommendation: implementing an eVUMA service
InfoGuard’s eVUMA service enables you to see your company from the attacker’s perspective. This involves daily scans of your perimeter infrastructure by our security experts from our ISO/IEC 27001-certified Cyber Defence Center (CDC) in Baar.
As part of this service, we take full responsibility for the first steps of the vulnerability management process – from daily scanning to reporting. As soon as a critical vulnerability emerges that is exposed to the Internet, we handle the risk assessment of the vulnerability and proactively contact you. Our experts are then available as need be to advise you so that you can rectify the weak point quickly and effectively.
The benefit to you is a significant reduction in the response and information time should any new high or critical vulnerabilities emerge in your exposed infrastructure. This enables the system managers or CISOs to respond to the threat as quickly as possible without having to monitor the external infrastructure themselves 24/7.
Interested? Contact us today for a tailored consultation. We are here for you!
![Detecting Attackers on Smartphones and Tablets [Part 2]](https://www.infoguard.ch/hubfs/images/blog/24/infoguard-blog-mobile-forensik-2-angreifer-aufspueren_24_1296x728.jpg)
