www.belgium.be Logo of the federal government

WARNING: UNAUTHENTICATED REMOTE CODE EXECUTION IN OPENSSH SERVER, PATCH IMMEDIATELY!

Reference: 
Advisory #2024-101
Version: 
2.0
Affected software: 
OpenSSH versions earlier than 4.4p1 (unless patched for CVE-2006-5051 and CVE- 2008-4109) and versions above 8.5p1 and below 9.8p1 on glibc-based Linux systems
Type: 
Remote Code Execution
CVE/CVSS: 

CVE-2024-6387: regression vulnerability (reappearance of CVE-2006-5051)

CVE-2006-5051: CVSS 8.1(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

Qualys: https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server

Risks

Successful exploitation can lead to a full system compromise, allowing complete system takedown, installation of malware, data manipulation, creation of backdoors and lateral movement for further exploitation of other vulnerable systems within the organization. It has therefore a severe impact in the confidentiality, integrity and availability of the affected system.

Although the vulnerability is not easily exploited, it is advised to patch due to the high impact it can have.

Update 02/07/2024: A proof of concept is available. The Centre for Cybersecurity Belgium assesses exploitation is likely to take place in the near future.

Description

CVE-2024-6387 is a signal handler race condition vulnerability in OpenSSH’s server (sshd), leading to remote code execution with root privileges. It affects sshd when it has default configuration on Linux systems.

CVE-2024-6387 is a regression vulnerability, meaning it is a reappearance of an existing previously patched vulnerability (CVE-2006-5051).

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/en/cert/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

Qualys: https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server