Exploit CVE-2024-6387 or regreSSHion Vulnerability allows remote unauthorized code execution on OpenSSH servers. The article explains various ways to fix the issue in detail. Bobcares, as a part of our Server Management Service offers solutions to every query that comes our way.

Overview

1. Exploit CVE-2024-6387: A Quick Note
2. Exploit CVE-2024-6387: How to Fix it?

Exploit CVE-2024-6387: A Quick Note

A major vulnerability in the OpenSSH server on glibc-based Linux systems is known as regreSSHion, or CVE-2024-6387. It allows remote, unauthenticated code execution. This is because of a buffer overflow that occurred during the processing of SSH connections. By sending a carefully crafted request, an attacker may take advantage of this vulnerability. Thus, taking over the server and run arbitrary code with high privileges.

The following versions of OpenSSH are vulnerable:

1. OpenSSH versions less than 4.4p1, if not patched for CVE-2006-5051 and CVE-2008-4109.

2. OpenSSH versions from 8.5p1 up to, but not including, 9.8p1.

And the Following are not vulnerable:

1. Ubuntu 24.04: It is not vulnerable due to its ASLR config, which helps protect against this type of exploit.

2. OpenBSD: It is not vulnerable because it uses a safer version of the syslog() function. This prevents the buffer overflow issue.

We can also use sshd -V to find whether the SSHD systems are running the affected version.

Exploit CVE-2024-6387: How to Fix it?

Fix for CVE-2024-6387:

1. Upgrade OpenSSH: Upgrade to OpenSSH 9.8 or later to fix the vulnerability.

2. Patch Details: The issue was fixed on June 6, 2024, by commit 81c1099, which moved unsafe code to a safer process.

3. Backporting: If backporting is difficult, remove or comment out the unsafe code from the sshsigdie() function.

We also suggest the following practices:

1. Limit SSH access to trusted networks and users.

2. Use key-based authentication and disable password logins.

3. Regularly check SSH logs and audit configs.

If we cannot update, set LoginGraceTime to 0 in the config file to prevent remote code run but be aware it may lead to a denial of service by exhausting all MaxStartups connections.

[Want to learn more? Reach out to us if you have any further questions.]

Conclusion

Most attacks can cause the SSHd service to fail, which may impact availability. Network monitoring can identify high connection volumes. Here, we’ve provided simple fixes from our Tech team to quickly fix the issue, along with best practices to follow in order to avoid the exploit.