CanSSOC advisory: Vulnerability – Unauthenticated remote code execution vulnerability in OpenSSH
Published: July 9, 2024
TLP: CLEAR
CanSSOC Threat Assessment [*]: HIGH
Topics on this page:
Summary:
A critical unauthenticated remote code execution (RCE) vulnerability in OpenSSH, identified as CVE-2024-6387 and dubbed “regreSSHion” has been discovered, which allows attackers to gain root privileges on glibc-based Linux systems. The flaw, originating from a signal handler race condition in sshd, enables unauthenticated remote attackers to execute arbitrary code as root. Exploitation of this vulnerability poses severe risks, including complete system takeover and network propagation, which can potentially compromise other systems within an organization.
Security researchers have also indicated that while the regreSSHion vulnerability is likely present on macOS and Windows, its exploitability on these systems has not yet been confirmed. Further analysis is required to determine if these operating systems are vulnerable.
We are asking institutions that have the resources to investigate activity related to this vulnerability, and report the information back to CanSSOC via your institutional Slack channel or via security@canssoc.canarie.ca.
Details:
- CVE|CVSS: CVE-2024-6387 | 8.1
- Impacted versions: The regreSSHion flaw impacts OpenSSH servers on Linux from version 8.5p1 up to, but not including 9.8p1.
- Patched versions: Versions 4.4p1 up to, but not including 8.5p1, are not vulnerable to CVE-2024-6387 due to a patch for CVE-2006-5051, which secured a previously unsafe function.
- Active exploitation: No known active exploitation in the wild yet.
Notes:
- The vulnerability is challenging to exploit, according to researchers, but also is not easy to fully remediate, demanding a focused and layered security approach.
- Qualys confirmed a vulnerable status for 700,000 instances based on its CSAM 3.0 data.
Recommendations:
- Immediate patch application: Ensure all OpenSSH servers are updated to version 9.8p1.
- Review and adjust security configurations: Harden SSH configurations and restrict access through firewalls and network segmentation.
- Continuous monitoring and incident response: Implement comprehensive monitoring for unusual SSH activity and have an incident response plan in place for potential exploit attempts.
Support:
As always, please contact security.response@utoronto.ca if you have any questions or concerns or feel that a device has been compromised by this vulnerability.
Footnotes:
[*] The CanSSOC Threat Assessment has the following four scores: LOW, MEDIUM, HIGH, SEVERE.