Skip to content
Join the Censys Community Forum: Connect, Share, and Thrive! | Start Here
Advisory

July 2, 2024 Advisory: regreSSHion RCE Vulnerability in OpenSSH Server [CVE-2024-6387]

  • CVE-ID and CVSS Score: CVE-2024-6387 / CVSS 8.1
  • Asset Description:
    OpenSSH server (sshd) on glibc-based Linux systems, versions:

      • Earlier than 4.4p1 (if not patched for CVE-2006-5051 and CVE-2008-4109)
      • 8.5p1 up to, but not including, 9.8p1

    OpenSSH is a widely used tool on Linux that allows secure remote access and communication between computers over a network.

  • Vulnerability Impact:
    If successfully exploited, an attacker could:

    • Execute arbitrary code with root privileges
    • Install malware and create backdoors
    • Manipulate data and traverse other vulnerable systems
    • Bypass security mechanisms like firewalls and intrusion detection systems
    • Conduct significant data breaches, resulting in the leakage of sensitive information
  • Exploitation Details:
    Exploitation requires deep understanding of timing attacks and memory manipulation. An attacker would:

    1. Initiate multiple connections to the target OpenSSH server, triggering the LoginGraceTime limit without completing authentication.
    2. Send specially crafted inputs to manipulate the server’s memory layout, leading to heap corruption.
    3. Create an inconsistent state in the heap by triggering the SIGALRM signal during memory allocation or deallocation functions.

    Exploitation is challenging and typically requires around 10,000 attempts on average.

  • Patch Availability: OpenSSH 9.8p1 has been released to address this vulnerability. Users should update to this version as soon as possible. Different Linux vendors have different patches. Admins should seek out their vendor-specific patches.
  • Detection with Censys: The following queries can be leveraged to identify all Censys-visible public-facing OpenSSH instances.

    Censys Search query: services: (software.product: openssh and software.version: [8.5 to 9.8} and not ssh.endpoint_id.comment: {“Ubuntu-3ubuntu0.10”, “Ubuntu-1ubuntu3.6”, “Ubuntu-3ubuntu13.3”, “Debian-5+deb11u3”, “Debian-2+deb12u3”, “FreeBSD-20240701”})

    Censys ASM query: host.services.software: (product: “openssh” and version: [8.5 to 9.8})

    Censys ASM Risk query: risks.name=”Vulnerable OpenSSH [CVE-2024-6387]”

Similar Content

Back to Resources Hub
Attack Surface Management Solutions
Learn more