WARNING: UNAUTHENTICATED REMOTE CODE EXECUTION IN OPENSSH SERVER, PATCH IMMEDIATELY!
CVE-2024-6387: regression vulnerability (reappearance of CVE-2006-5051)
CVE-2006-5051: CVSS 8.1(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
Risks
Successful exploitation can lead to a full system compromise, allowing complete system takedown, installation of malware, data manipulation, creation of backdoors and lateral movement for further exploitation of other vulnerable systems within the organization. It has therefore a severe impact in the confidentiality, integrity and availability of the affected system.
Although the vulnerability is not easily exploited, it is advised to patch due to the high impact it can have.
Update 02/07/2024: A proof of concept is available. The Centre for Cybersecurity Belgium assesses exploitation is likely to take place in the near future.
Description
CVE-2024-6387 is a signal handler race condition vulnerability in OpenSSH’s server (sshd), leading to remote code execution with root privileges. It affects sshd when it has default configuration on Linux systems.
CVE-2024-6387 is a regression vulnerability, meaning it is a reappearance of an existing previously patched vulnerability (CVE-2006-5051).
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/en/cert/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References