Alert: Remote Code Execution Vulnerability (CVE-2024-6387) found in OpenSSH Server (sshd)
Hello everyone!
A Remote Code Execution Vulnerability has been discovered in OpenSSH Server (sshd). This vulnerability is tracked as CVE-2024-6387 and allows an unauthenticated remote attacker to execute arbitrary code as root.
Vulnerability details
According to a Debian security bulletin, If a client does not authenticate within the default 120-second LoginGraceTime, sshd's SIGALRM handler is called asynchronously, invoking various functions that are not async-signal-safe. This vulnerability enables remote unauthenticated attackers to execute arbitrary code with root privileges. Exploiting this vulnerability, known as regreSSHion, can lead to severe consequences for targeted servers, including potential complete system takeover.
ManageEngine Vulnerability Manager Plus has you protected!
You can deploy the following patches to your Linux endpoints to remediate this remote code execution vulnerability. To install these updates on your machines, initiate a sync between the Central Patch Repository and the Vulnerability Manager Plus server. Once the sync is complete, you can navigate to Threats > Software Vulnerabilities in the console to view if this vulnerability has been detected in your network and then search for the following Patch IDs or Bulletin ID and deploy them to your target systems.
Patch details
Ubuntu:
Patch ID | Bulletin ID | Patch Description |
744427 | USN-6859-1 | Update for Ubuntu 22.04 LTS (x64) openssh-client_8.9p1-3ubuntu0.10_amd64.deb |
744428 | USN-6859-1 | Update for Ubuntu 22.04 LTS openssh-client_8.9p1-3ubuntu0.10_i386.deb |
744429 | USN-6859-1 | Update for Ubuntu 23.10 (x64) openssh-client_9.3p1-1ubuntu3.6_amd64.deb |
744430 | USN-6859-1 | Update for Ubuntu 23.10 openssh-client_9.3p1-1ubuntu3.6_i386.deb |
744431 | USN-6859-1 | Update for Ubuntu 24.04 LTS (x64) openssh-client_9.6p1-3ubuntu13.3_amd64.deb |
744432 | USN-6859-1 | Update for Ubuntu 24.04 LTS openssh-client_9.6p1-3ubuntu13.3_i386.deb |
744433 | USN-6859-1 | Update for Ubuntu 22.04 LTS (x64) openssh-server_8.9p1-3ubuntu0.10_amd64.deb |
744434 | USN-6859-1 | Update for Ubuntu 22.04 LTS openssh-server_8.9p1-3ubuntu0.10_i386.deb |
744435 | USN-6859-1 | Update for Ubuntu 23.10 (x64) openssh-server_9.3p1-1ubuntu3.6_amd64.deb |
744436 | USN-6859-1 | Update for Ubuntu 23.10 openssh-server_9.3p1-1ubuntu3.6_i386.deb |
744437 | USN-6859-1 | Update for Ubuntu 24.04 LTS (x64) openssh-server_9.6p1-3ubuntu13.3_amd64.deb |
744438 | USN-6859-1 | Update for Ubuntu 24.04 LTS openssh-server_9.6p1-3ubuntu13.3_i386.deb |
Debian:
Patch ID | Bulletin ID | Patch Description |
803970 | DSA-5724-1 | Update for Debian GNU/Linux 12 (Bookworm) (x64) openssh-client_9.2p1-2+deb12u3_amd64.deb |
803971 | DSA-5724-1 | Update for Debian GNU/Linux 12 (Bookworm) openssh-client_9.2p1-2+deb12u3_i386.deb |
803972 | DSA-5724-1 | Update for Debian GNU/Linux 12 (Bookworm) (x64) openssh-server_9.2p1-2+deb12u3_amd64.deb |
803973 | DSA-5724-1 | Update for Debian GNU/Linux 12 (Bookworm) openssh-server_9.2p1-2+deb12u3_i386.deb |
803974 | DSA-5724-1 | Update for Debian GNU/Linux 12 (Bookworm) (x64) openssh-sftp-server_9.2p1-2+deb12u3_amd64.deb |
803975 | DSA-5724-1 | Update for Debian GNU/Linux 12 (Bookworm) openssh-sftp-server_9.2p1-2+deb12u3_i386.deb |
803976 | DSA-5724-1 | Update for Debian GNU/Linux 12 (Bookworm) (x64) openssh-tests_9.2p1-2+deb12u3_amd64.deb |
803977 | DSA-5724-1 | Update for Debian GNU/Linux 12 (Bookworm) openssh-tests_9.2p1-2+deb12u3_i386.deb |
Red Hat:
Patch ID | Bulletin ID | Patch Description |
1172245 | RHSA-2024:4312 | Update for Red Hat Enterprise Linux 9 (x86_64) openssh-8.7p1-38.el9_4.1.x86_64.rpm |
1172246 | RHSA-2024:4312 | Update for Red Hat Enterprise Linux 9 (x86_64) openssh-askpass-8.7p1-38.el9_4.1.x86_64.rpm |
1172248 | RHSA-2024:4312 | Update for Red Hat Enterprise Linux 9 (x86_64) openssh-clients-8.7p1-38.el9_4.1.x86_64.rpm |
1172254 | RHSA-2024:4312 | Update for Red Hat Enterprise Linux 9 (x86_64) openssh-server-8.7p1-38.el9_4.1.x86_64.rpm |
Oracle:
Patch ID | Bulletin ID | Patch Description |
1630163 | ELSA-2024-12468 | Update for Oracle Linux 9 (x64) openssh-8.7p1-38.0.2.el9.x86_64.rpm |
1630165 | ELSA-2024-12468 | Update for Oracle Linux 9 (x64) openssh-server-8.7p1-38.0.2.el9.x86_64.rpm |
1630166 | ELSA-2024-12468 | Update for Oracle Linux 9 (x64) openssh-keycat-8.7p1-38.0.2.el9.x86_64.rpm |
1630167 | ELSA-2024-12468 | Update for Oracle Linux 9 (x64) openssh-askpass-8.7p1-38.0.2.el9.x86_64.rpm |
1630168 | ELSA-2024-12468 | Update for Oracle Linux 9 (x64) openssh-clients-8.7p1-38.0.2.el9.x86_64.rpm |
Rocky Linux:
Patch ID | Bulletin ID | Patch Description |
2507087 | RLNSA-2024:4312 | Update for Rocky Linux 9 (x64) openssh-8.7p1-38.el9_4.1.x86_64.rpm |
2507088 | RLNSA-2024:4312 | Update for Rocky Linux 9 (x64) openssh-askpass-8.7p1-38.el9_4.1.x86_64.rpm |
2507089 | RLNSA-2024:4312 | Update for Rocky Linux 9 (x64) openssh-clients-8.7p1-38.el9_4.1.x86_64.rpm |
2507090 | RLNSA-2024:4312 | Update for Rocky Linux 9 (x64) openssh-keycat-8.7p1-38.el9_4.1.x86_64.rpm |
2507091 | RLNSA-2024:4312 | Update for Rocky Linux 9 (x64) openssh-server-8.7p1-38.el9_4.1.x86_64.rpm |
Amazon Linux:
Patch ID | Bulletin ID | Patch Description |
2804698 | ALAS-2024-649 | Update for Amazon Linux 2023 (x64) openssh-8.7p1-8.amzn2023.0.11.x86_64.rpm |
2804699 | ALAS-2024-649 | Update for Amazon Linux 2023 (x64) openssh-clients-8.7p1-8.amzn2023.0.11.x86_64.rpm |
2804700 | ALAS-2024-649 | Update for Amazon Linux 2023 (x64) openssh-keycat-8.7p1-8.amzn2023.0.11.x86_64.rpm |
2804701 | ALAS-2024-649 | Update for Amazon Linux 2023 (x64) openssh-server-8.7p1-8.amzn2023.0.11.x86_64.rpm |
*Amazon Linux patching is currently available for new users and will roll out to existing users in September 2024. For more details, refer here.
Mitigation Steps Suggested by Red Hat
These following steps can help protect against a Remote Code Execution attack by disabling the LoginGraceTime parameter. However, the sshd server remains vulnerable to a Denial of Service attack, as an attacker could still exhaust all available connections.
1) As root user, open the /etc/ssh/sshd_config
2) Add or edit the parameter configuration:
LoginGraceTime 0
3) Save and close the file
4) Restart the sshd daemon:
systemctl restart sshd.service
Note:
- For SUSE Linux Enterprise: The patch support will be available soon.
- For CentOS: The patches have not yet been released by the vendor. In the meantime, follow Red Hat's recommended mitigation steps. Rest assured, Vulnerability Manager Plus will support these patches as soon as they're available. Stay tuned for updates!
Cheers,
The ManageEngine Team