Executive Summary

CVE-2024-6387, also known as the "RegreSSHion" vulnerability, is a critical security flaw in OpenSSH's server (sshd). This vulnerability allows for unauthenticated remote code execution (RCE) with root privileges due to a race condition in the signal handler. The vulnerability was discovered as a security regression from CVE-2006-5051. Given its high CVSS score of 8.1, this vulnerability poses a significant risk to organizations, especially those in critical infrastructure and high-value sectors. Immediate action is required to mitigate this threat.

Technical Information

CVE-2024-6387 is a race condition vulnerability in OpenSSH's server (sshd). The flaw arises from unsafe handling of signals, which can be exploited by an unauthenticated, remote attacker. The attacker can trigger the race condition by failing to authenticate within a set time period, leading to remote code execution with root privileges. The vulnerability affects OpenSSH versions up to 9.8.

The vulnerability's CVSS v3.1 Base Score is 8.1, indicating a high severity. The attack vector is network-based (AV:N), with high attack complexity (AC:H), no privileges required (PR:N), and no user interaction needed (UI:N). The scope is unchanged (S:U), with high impacts on confidentiality (C:H), integrity (I:H), and availability (A:H).

Exploiting this vulnerability requires an attacker to initiate thousands of connection attempts to accurately trigger the race condition. This has been observed in the wild, with attackers leveraging automated scripts to exploit the vulnerability. The vulnerability has been addressed in OpenSSH version 9.8p1.

For more detailed technical information, you can refer to the following resources: - Qualys: regreSSHion.txt (https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt) - GitHub PoC: cve-2024-6387-poc (https://github.com/zgzhang/cve-2024-6387-poc) - GitHub PoC: cve-2024-6387_hassh (https://github.com/0x4D31/cve-2024-6387_hassh)

Exploitation in the Wild

Exploitation of CVE-2024-6387 has been observed in the wild. Attackers are using automated scripts to initiate thousands of connection attempts to trigger the race condition. Indicators of Compromise (IOCs) include unusual authentication attempts and high volumes of connection attempts. Specific usage of this vulnerability has been documented in various Proof of Concept (PoC) exploits available on GitHub.

For example, the following PoCs demonstrate the exploitation of this vulnerability: - GitHub PoC: CVE-2024-6387 (https://github.com/3yujw7njai/CVE-2024-6387) - GitHub PoC: ssh_exploiter_CVE-2024-6387 (https://github.com/AiGptCode/ssh_exploiter_CVE-2024-6387) - GitHub PoC: CVE-2024-6387-Updated-SSH-RCE (https://github.com/TrustResearcher/CVE-2024-6387-Updated-SSH-RCE)

APT Groups using this vulnerability

While specific APT groups exploiting this vulnerability have not been publicly identified, the nature of the vulnerability makes it a potential target for state-sponsored actors and advanced persistent threats (APTs). These groups often focus on critical infrastructure and high-value targets, making the exploitation of CVE-2024-6387 a significant concern for organizations in these sectors.

Affected Product Versions

The following product versions are affected by CVE-2024-6387: - OpenSSH: Versions up to 9.8

Organizations using these versions should prioritize patching and implementing mitigation strategies to protect against exploitation.

Workaround and Mitigation

To mitigate the risks associated with CVE-2024-6387, organizations should take the following steps:

1. Patch: Apply the latest patches provided by OpenSSH and affected vendors. The vulnerability has been addressed in OpenSSH version 9.8p1.
2. Configuration: Reduce the

   LoginGraceTime

   to the minimum acceptable value to limit the window for exploitation.
3. Monitoring: Implement monitoring for unusual authentication attempts and high volumes of connection attempts.

For more detailed mitigation strategies, refer to the following resources: - NVD: CVE-2024-6387 Detail (https://nvd.nist.gov/vuln/detail/CVE-2024-6387) - Red Hat: CVE-2024-6387 (https://access.redhat.com/security/cve/CVE-2024-6387) - Trend Micro: Impact of OpenSSH Vulnerabilities (https://www.trendmicro.com/en_us/research/24/g/cve-2024-6387-and-cve-2024-6409.html)

References

For further reading and detailed technical information, please refer to the following references: - Qualys: regreSSHion Vulnerability (https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt) - Arctic Wolf: CVE-2024-6387 Analysis (https://arcticwolf.com/resources/blog/cve-2024-6387/) - Uptycs: OpenSSH Vulnerability Explained (https://www.uptycs.com/blog/threat-research-report-team/openssh-vulnerability-cve-2024-6387-details) - Palo Alto Networks: Threat Brief (https://unit42.paloaltonetworks.com/threat-brief-cve-2024-6387-openssh/) - Picus Security: Exploitation and Mitigation (https://www.picussecurity.com/resource/blog/openssh-regresshion-cve-2024-6387-vulnerability-exploitation-mitigation)

Rescana is here for you

At Rescana, we understand the critical importance of staying ahead of emerging threats. Our Continuous Threat and Exposure Management (CTEM) platform helps organizations identify, assess, and mitigate vulnerabilities like CVE-2024-6387. We provide comprehensive threat intelligence and proactive security measures to ensure your organization's resilience against cyber threats. If you have any questions about this report or any other issue, please contact us at ops@rescana.com.