July 2, 2024 Advisory: regreSSHion RCE Vulnerability in OpenSSH Server [CVE-2024-6387]

• • Earlier than 4.4p1 (if not patched for CVE-2006-5051 and CVE-2008-4109)
  • 8.5p1 up to, but not including, 9.8p1

OpenSSH is a widely used tool on Linux that allows secure remote access and communication between computers over a network.

• Execute arbitrary code with root privileges
• Install malware and create backdoors
• Manipulate data and traverse other vulnerable systems
• Bypass security mechanisms like firewalls and intrusion detection systems
• Conduct significant data breaches, resulting in the leakage of sensitive information

1. Initiate multiple connections to the target OpenSSH server, triggering the LoginGraceTime limit without completing authentication.
2. Send specially crafted inputs to manipulate the server’s memory layout, leading to heap corruption.
3. Create an inconsistent state in the heap by triggering the SIGALRM signal during memory allocation or deallocation functions.

Exploitation is challenging and typically requires around 10,000 attempts on average.

Censys Search query: services: (software.product: openssh and software.version: [8.5 to 9.8} and not ssh.endpoint_id.comment: {“Ubuntu-3ubuntu0.10”, “Ubuntu-1ubuntu3.6”, “Ubuntu-3ubuntu13.3”, “Debian-5+deb11u3”, “Debian-2+deb12u3”, “FreeBSD-20240701”})

Censys ASM query: host.services.software: (product: “openssh” and version: [8.5 to 9.8})

Censys ASM Risk query: risks.name=”Vulnerable OpenSSH [CVE-2024-6387]”