Alert: Remote Code Execution Vulnerability (CVE-2024-6387) found in OpenSSH Server (sshd)

Alert: Remote Code Execution Vulnerability (CVE-2024-6387) found in OpenSSH Server (sshd)

Hello everyone!

A Remote Code Execution Vulnerability has been discovered in OpenSSH Server (sshd). This vulnerability is tracked as CVE-2024-6387 and allows an unauthenticated remote attacker to execute arbitrary code as root.

Vulnerability details

According to a Debian security bulletin, If a client does not authenticate within the default 120-second LoginGraceTime, sshd's SIGALRM handler is called asynchronously, invoking various functions that are not async-signal-safe. This vulnerability enables remote unauthenticated attackers to execute arbitrary code with root privileges. Exploiting this vulnerability, known as regreSSHion, can lead to severe consequences for targeted servers, including potential complete system takeover.

ManageEngine Patch Manager Plus has you protected!

You can deploy the following patches to your Linux endpoints to remediate this remote code execution vulnerability. To install these updates on your machines, initiate a sync between the Central Patch Repository and the Patch Manager Plus server. Once the sync is complete, search for the following Patch IDs or Bulletin ID and deploy them to your target systems.

Patch details

Ubuntu:

Patch ID
Bulletin ID
Patch Description
744427
USN-6859-1
Update for Ubuntu 22.04 LTS (x64) openssh-client_8.9p1-3ubuntu0.10_amd64.deb
744428
USN-6859-1
Update for Ubuntu 22.04 LTS openssh-client_8.9p1-3ubuntu0.10_i386.deb
744429
USN-6859-1
Update for Ubuntu 23.10 (x64) openssh-client_9.3p1-1ubuntu3.6_amd64.deb
744430
USN-6859-1
Update for Ubuntu 23.10 openssh-client_9.3p1-1ubuntu3.6_i386.deb
744431
USN-6859-1
Update for Ubuntu 24.04 LTS (x64) openssh-client_9.6p1-3ubuntu13.3_amd64.deb
744432
USN-6859-1
Update for Ubuntu 24.04 LTS openssh-client_9.6p1-3ubuntu13.3_i386.deb
744433
USN-6859-1
Update for Ubuntu 22.04 LTS (x64) openssh-server_8.9p1-3ubuntu0.10_amd64.deb
744434
USN-6859-1
Update for Ubuntu 22.04 LTS openssh-server_8.9p1-3ubuntu0.10_i386.deb
744435
USN-6859-1
Update for Ubuntu 23.10 (x64) openssh-server_9.3p1-1ubuntu3.6_amd64.deb
744436
USN-6859-1
Update for Ubuntu 23.10 openssh-server_9.3p1-1ubuntu3.6_i386.deb
744437
USN-6859-1
Update for Ubuntu 24.04 LTS (x64) openssh-server_9.6p1-3ubuntu13.3_amd64.deb
744438
USN-6859-1
Update for Ubuntu 24.04 LTS openssh-server_9.6p1-3ubuntu13.3_i386.deb

Debian:
Patch ID
Bulletin ID
Patch Description
803970
DSA-5724-1
Update for Debian GNU/Linux 12 (Bookworm) (x64) openssh-client_9.2p1-2+deb12u3_amd64.deb
803971
DSA-5724-1
Update for Debian GNU/Linux 12 (Bookworm) openssh-client_9.2p1-2+deb12u3_i386.deb
803972
DSA-5724-1
Update for Debian GNU/Linux 12 (Bookworm) (x64) openssh-server_9.2p1-2+deb12u3_amd64.deb
803973
DSA-5724-1
Update for Debian GNU/Linux 12 (Bookworm) openssh-server_9.2p1-2+deb12u3_i386.deb
803974
DSA-5724-1
Update for Debian GNU/Linux 12 (Bookworm) (x64) openssh-sftp-server_9.2p1-2+deb12u3_amd64.deb
803975
DSA-5724-1
Update for Debian GNU/Linux 12 (Bookworm) openssh-sftp-server_9.2p1-2+deb12u3_i386.deb
803976
DSA-5724-1
Update for Debian GNU/Linux 12 (Bookworm) (x64) openssh-tests_9.2p1-2+deb12u3_amd64.deb
803977
DSA-5724-1
Update for Debian GNU/Linux 12 (Bookworm) openssh-tests_9.2p1-2+deb12u3_i386.deb

Red Hat:
Patch ID
Bulletin ID
Patch Description
1172245
RHSA-2024:4312
Update for Red Hat Enterprise Linux 9 (x86_64) openssh-8.7p1-38.el9_4.1.x86_64.rpm
1172246
RHSA-2024:4312
Update for Red Hat Enterprise Linux 9 (x86_64) openssh-askpass-8.7p1-38.el9_4.1.x86_64.rpm
1172248
RHSA-2024:4312
Update for Red Hat Enterprise Linux 9 (x86_64) openssh-clients-8.7p1-38.el9_4.1.x86_64.rpm
1172254
RHSA-2024:4312
Update for Red Hat Enterprise Linux 9 (x86_64) openssh-server-8.7p1-38.el9_4.1.x86_64.rpm

Oracle:
Patch ID
Bulletin ID
Patch Description
1630163
ELSA-2024-12468
Update for Oracle Linux 9 (x64) openssh-8.7p1-38.0.2.el9.x86_64.rpm
1630165
ELSA-2024-12468
Update for Oracle Linux 9 (x64) openssh-server-8.7p1-38.0.2.el9.x86_64.rpm
1630166
ELSA-2024-12468
Update for Oracle Linux 9 (x64) openssh-keycat-8.7p1-38.0.2.el9.x86_64.rpm
1630167
ELSA-2024-12468
Update for Oracle Linux 9 (x64) openssh-askpass-8.7p1-38.0.2.el9.x86_64.rpm
1630168
ELSA-2024-12468
Update for Oracle Linux 9 (x64) openssh-clients-8.7p1-38.0.2.el9.x86_64.rpm

Rocky Linux:

Patch ID
Bulletin ID
Patch Description
2507087
RLNSA-2024:4312
Update for Rocky Linux 9 (x64) openssh-8.7p1-38.el9_4.1.x86_64.rpm
2507088
RLNSA-2024:4312
Update for Rocky Linux 9 (x64) openssh-askpass-8.7p1-38.el9_4.1.x86_64.rpm
2507089
RLNSA-2024:4312
Update for Rocky Linux 9 (x64) openssh-clients-8.7p1-38.el9_4.1.x86_64.rpm
2507090
RLNSA-2024:4312
Update for Rocky Linux 9 (x64) openssh-keycat-8.7p1-38.el9_4.1.x86_64.rpm
2507091
RLNSA-2024:4312
Update for Rocky Linux 9 (x64) openssh-server-8.7p1-38.el9_4.1.x86_64.rpm

Amazon Linux:

Patch ID
Bulletin ID
Patch Description
2804698
ALAS-2024-649
Update for Amazon Linux 2023 (x64) openssh-8.7p1-8.amzn2023.0.11.x86_64.rpm
2804699
ALAS-2024-649
Update for Amazon Linux 2023 (x64) openssh-clients-8.7p1-8.amzn2023.0.11.x86_64.rpm
2804700
ALAS-2024-649
Update for Amazon Linux 2023 (x64) openssh-keycat-8.7p1-8.amzn2023.0.11.x86_64.rpm
2804701
ALAS-2024-649
Update for Amazon Linux 2023 (x64) openssh-server-8.7p1-8.amzn2023.0.11.x86_64.rpm

*Amazon Linux patching is currently available for new users and will roll out to existing users in September 2024. For more details, refer here.

Mitigation Steps Suggested by Red Hat

These following steps can help protect against a Remote Code Execution attack by disabling the LoginGraceTime parameter. However, the sshd server remains vulnerable to a Denial of Service attack, as an attacker could still exhaust all available connections.

1) As root user, open the /etc/ssh/sshd_config

2) Add or edit the parameter configuration:

LoginGraceTime 0

3) Save and close the file

4) Restart the sshd daemon:

systemctl restart sshd.service


Note:
  • For SUSE Linux Enterprise: The patch support will be available soon.
  • For CentOS: The patches have not yet been released by the vendor. In the meantime, follow Red Hat's recommended mitigation steps. Rest assured, Patch Manager Plus will support these patches as soon as they're available. Stay tuned for updates!

You can also detect this vulnerability in your network with ManageEngine Endpoint Central and Vulnerability Manager Plus. They will scan your network to identify the vulnerability. Once detected, navigate to Threats > Software Vulnerabilities in the console to view them.


Cheers,
The ManageEngine Team


                New to ADSelfService Plus?