Critical OpenSSH vulnerability

Understanding CVE-2024-6387: A Critical OpenSSH Vulnerability about Signal Handler Race condition

By SecurityHive
July 2, 2024

As a leading cybersecurity firm, we prioritize keeping our clients and readers informed about critical vulnerabilities that could impact their systems. Today, we’re diving into CVE-2024-6387, a severe vulnerability in OpenSSH that has garnered significant attention due to its potential to allow unauthenticated remote code execution.

What is CVE-2024-6387?

CVE-2024-6387, also known as "regreSSHion," is a vulnerability in OpenSSH’s server component (sshd) affecting versions 8.5 to 9.8. This issue arises from a race condition in the signal handler, specifically when a client does not authenticate within the LoginGraceTime (120 seconds by default). The vulnerability is triggered by the asynchronous handling of the SIGALRM signal, which calls functions not safe for async-signal use, such as syslog()​.

How Can CVE-2024-6387 Be Abused?

An attacker exploiting CVE-2024-6387 can remotely execute arbitrary code on the target server without needing authentication. Here’s a step-by-step outline of the exploitation process:

  1. Connection Initiation: The attacker connects to the OpenSSH server but does not complete the authentication process.

  2. Triggering the Vulnerability: When the LoginGraceTime expires, the SIGALRM signal is triggered. Due to the race condition, this handler may call unsafe functions.

  3. Code Execution: By carefully crafting the connection and timing the exploitation, the attacker can execute arbitrary commands as root, leading to a potential full system compromise​.

What is the impact?

This vulnerability carries a CVSS v3 base score of 8.1, classifying it as a high-severity issue. The potential impact includes unauthorized system access, data breaches, and full control over affected servers.

How to check?

To determine if your systems are affected by CVE-2024-6387, check the installed OpenSSH version:


Copy code

ssh -V

If your version is between 8.5 and 9.8, your system is vulnerable. For automated and comprehensive vulnerability assessments, our Vulnerability Management Solution can quickly identify this and other security issues within your infrastructure.

Mitigation and Updates

Updating OpenSSH: The most effective way to mitigate CVE-2024-6387 is to update OpenSSH to a 9.8p1. On most systems you can do this via the package manager. Example command on Debian:

apt-get update && apt-get upgrade openssh-server

Temporary Mitigation: If updating immediately is not possible, you can temporarily mitigate the risk by setting LoginGraceTime to 0 in the sshd_config file:

vi /etc/ssh/sshd_config

LoginGraceTime 0

This will prevent the remote code execution but may result in denial of service by consuming all MaxStartups connections​.

Leveraging Our Vulnerability Management Solution

Keeping track of such vulnerabilities and ensuring timely updates can be daunting. Our Vulnerability Management Solution simplifies this process. It scans your network, identifies vulnerabilities, and provides detailed reports and remediation steps. This proactive approach ensures that your systems are secure and compliant with the latest security standards.

Start your 14-day free trial and start scanning immediately

Are you vulnerable?