Threat Research Report Team

OpenSSH Vulnerability: CVE-2024-6387 Explained

Written by Uptycs Team | Jul 2, 2024 12:28:17 PM

Vulnerability Detection

A new OpenSSH vulnerability has been detected.Uptycs customers can use the Vulnerability dashboard to find all assets, images and containers that are impacted by CVE-2024-6387.

Access the Vulnerability dashboard from the left navigation bar - below screenshots show the Vulnerability dashboard for Endpoints. You can also access the Kubernetes and Container Security vulnerability dashboard from the left navigation bar.

Once you open the Vulnerability dashboard, use the Search screen to search for assets specifically impacted by the CVE:

Your search result should look similar to the below screenshot:

Clicking on “Found on one or more assets” will give you a detailed list of all impacted assets:

 

Understanding CVE-2024-6387: The RegreSSHion Vulnerability

CVE-2024-6387, known as the “RegreSSHion” vulnerability, is a critical security flaw and OpenSSH vulnerability affecting various OS platforms and OpenSSH versions. This vulnerability poses a significant threat to secure communications, emphasizing the need for immediate attention and remediation by affected users and administrators.

This OpenSSH vulnerability is already assumed to be affecting a significant number of computer systems running the affected OpenSSH software version. The vulnerability has been present since October 2020 (OpenSSH 8.5p1) and was patched as of version 9.8p1 of OpenSSH.

Systems that are impacted and directly connected to the internet with SSH publicly exposed should be prioritized for patching, while internal systems that are impacted should be secondary to public-facing systems for patching.

The researchers who reported this vulnerability have also indicated that successfully exploiting these vulnerabilities requires a significant level of complexity, exploitation can take about 10,000 attempts on x86 (32-bit) before a successful compromise occurs. Uptycs notes that they have not yet been published in CISA’s KEV list, we are urging all our customers, and the wider community, to proactively patch this vulnerability given the threat it could present to allow threat actors to compromise organizations.

 

Affected OS Platforms and OpenSSH Versions

The RegreSSHion OpenSSH vulnerability impacts multiple operating systems that utilize OpenSSH for secure shell (SSH) operations. The affected platforms include:

  • Linux Distributions: Various versions of Linux, including but not limited to Debian, Ubuntu, CentOS, and Red Hat.
  • BSD Variants: OpenBSD, and its variants, are currently reported as unaffected by this vulnerability.
  • macOS: Systems running OpenSSH are likely affected, however, exploitability is currently undermined.
  • Windows: Systems running OpenSSH are likely affected, however, exploitability is currently undermined.

Specifically, the vulnerability has been identified in OpenSSH versions 8.5p1 and prior to 9.8p1. Version 9.8p1 is not considered vulnerable. Users running these versions should prioritize upgrading to the latest patched release provided by OpenSSH maintainers.

Identifying the RegreSSHion Vulnerability Manually

To manually determine if your system is vulnerable to CVE-2024-6387, follow these steps:

  1. Check OpenSSH Version:
    • Execute the command ssh -V in your terminal. This will display the current OpenSSH version installed on your system.
    • If the version falls between 8.4 and 9.0, your system is potentially vulnerable.
  2. Review System Logs:
    • Inspect your system logs for any unusual activity related to SSH connections. Look for unauthorized access attempts or anomalies that could indicate exploitation.
  3. Verify OS and OpenSSH Package Updates:
    • Ensure that your OS distribution has released updates addressing this vulnerability. Most major Linux distributions and BSD variants will provide security advisories and patches.
  4. Security Tools and Scanners:
    • Utilize security scanners and vulnerability assessment tools that include CVE-2024-6387 in their databases. Tools like OpenVAS, Nessus, and commercial solutions can automate the detection process.

Mitigation and Remediation

To mitigate the risk posed by CVE-2024-6387, take the following actions:

  • Upgrade OpenSSH: Immediately upgrade to the latest version of OpenSSH. Follow the instructions provided by your OS vendor or the official OpenSSH project.
  • Apply Security Patches: Ensure all relevant security patches from your OS vendor are applied. Regularly check for updates and advisories.
  • Restrict SSH Access: Implement access controls to limit SSH access to trusted IP addresses and use key-based authentication instead of password-based authentication.

By promptly addressing CVE-2024-6387, organizations can safeguard their systems against potential exploits and maintain the integrity of their secure communications.

For more detailed information and updates, refer to official security advisories from OpenSSH and your OS vendor.

 

OS Vendor Updates

Updates from Ubuntu Security Advisory

Ubuntu has released patches for the following affected systems.

Source: https://ubuntu.com/security/CVE-2024-6387

Update from RedHat Security Advisory

RedHat have indicated that OpenSSH on Red Hat Enterprise Linux 9 is impacted and requires patching, while Red Hat Enterprise Linux 6, 7 and 8, are not affected.

Source: https://access.redhat.com/security/cve/CVE-2024-6387

Update from Debian Security Advisory

Debian has provided a Security Advisory for Debian Bookmark and Debian Trixie that are impacted by the vulnerability.

Source: https://security-tracker.debian.org/tracker/CVE-2024-6387

Updates from Amazon Linux

Amazon had indicated that Amazon Linux 2023 systems running OpenSSH are impacted, Amazon Linux-1 and Amazon Linux-2 Core are not affected.

Source: https://explore.alas.aws.amazon.com/CVE-2024-6387.html

Updates from OpenSuse Linux

SUSE have indicated that OpenSuse Leap 15.6 systems running OpenSSH are impacted, while other OpenSuse versions are still being investigated for any impact.

Source: https://www.suse.com/security/cve/CVE-2024-6387.html