{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2024-066.pdf"
    },
    "title": "Critical Vulnerability in OpenSSH",
    "serial_number": "2024-066",
    "publish_date": "09-07-2024 15:35:08",
    "description": "On July 1, 2024, a new OpenSSH unauthenticated remote code execution (RCE) vulnerability dubbed regreSSHion was reported, affecting glibc-based Linux systems. This vulnerability, identified as CVE-2024-6387, allows remote attackers to execute arbitrary code as root due to a signal handler race condition in sshd.<br>\n",
    "url_title": "2024-066",
    "content_markdown": "---\ntitle: 'Critical Vulnerability in OpenSSH'\nnumber: '2024-066'\nversion: '1.1'\noriginal_date: 'July 1, 2024'\ndate: 'July 9, 2024'\n---\n\n_History:_\n\n* _01/07/2024 --- v1.0 -- Initial publication_\n* _09/07/2024 --- v1.1 -- Update regarding CISCO advisory_\n\n# Summary\n\nOn July 1, 2024, a new OpenSSH unauthenticated remote code execution (RCE) vulnerability dubbed _regreSSHion_ was reported, affecting glibc-based Linux systems. This vulnerability, identified as **CVE-2024-6387**, allows remote attackers to execute arbitrary code as root due to a signal handler race condition in sshd [1].\n\n# Technical Details\n\nThis vulnerability, if exploited, could lead to full-system compromise, where an attacker can execute arbitrary code with the highest privileges, resulting in a complete system takeover, installation of malware, data manipulation, and the creation of backdoors for persistent access. It could facilitate network propagation, allowing attackers to use a compromised system as a foothold to traverse and exploit other vulnerable systems within the organisation [2].\n\n# Affected Products\n\nThe _regreSSHion_ flaw impacts OpenSSH servers on Linux from version 8.5p1 up to, but not including 9.8p1 [1].\n\nVersions 4.4p1 up to, but not including 8.5p1 are not vulnerable to **CVE-2024-6387** thanks to a patch for CVE-2006-5051, which secured a previously unsafe function [1].\n\nVersions older than 4.4p1 are vulnerable to _regreSSHion_ unless they are patched for CVE-2006-5051 and CVE-2008-4109. OpenBSD systems are not impacted by this flaw thanks to a secure mechanism introduced back in 2001 [1].\n\n**[New]** Cisco has issued a security advisory confirming that the vulnerability is affecting multiple Cisco products. The list is available in Cisco's advisory [6].\n\n# Recommendations\n\n**[Updated]** CERT-EU recommends reviewing and applying the patches from Linux distribution security bulletins, including but not limited to:\n\n- Ubuntu [3]\n- Debian [4]\n- RedHat [5]\n- Cisco [6]\n\nHowever, if it cannot be updated immediately, set the `LoginGraceTime` to 0 in the sshd configuration file, but note that this can expose the server to denial-of-service attacks [1]. It is also highly recommended restricting SSH access to only trusted hosts.\n\n# References\n\n[1] <https://www.bleepingcomputer.com/news/security/new-regresshion-openssh-rce-bug-gives-root-on-linux-servers/>\n\n[2] <https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server>\n\n[3] <https://ubuntu.com/security/CVE-2024-6387>\n\n[4] <https://security-tracker.debian.org/tracker/CVE-2024-6387>\n\n[5] <https://access.redhat.com/security/cve/cve-2024-6387>\n\n[6] <https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssh-rce-2024>",
    "content_html": "<p><em>History:</em></p><ul><li><em>01/07/2024 --- v1.0 -- Initial publication</em></li><li><em>09/07/2024 --- v1.1 -- Update regarding CISCO advisory</em></li></ul><h2 id=\"summary\">Summary</h2><p>On July 1, 2024, a new OpenSSH unauthenticated remote code execution (RCE) vulnerability dubbed <em>regreSSHion</em> was reported, affecting glibc-based Linux systems. This vulnerability, identified as <strong>CVE-2024-6387</strong>, allows remote attackers to execute arbitrary code as root due to a signal handler race condition in sshd [1].</p><h2 id=\"technical-details\">Technical Details</h2><p>This vulnerability, if exploited, could lead to full-system compromise, where an attacker can execute arbitrary code with the highest privileges, resulting in a complete system takeover, installation of malware, data manipulation, and the creation of backdoors for persistent access. It could facilitate network propagation, allowing attackers to use a compromised system as a foothold to traverse and exploit other vulnerable systems within the organisation [2].</p><h2 id=\"affected-products\">Affected Products</h2><p>The <em>regreSSHion</em> flaw impacts OpenSSH servers on Linux from version 8.5p1 up to, but not including 9.8p1 [1].</p><p>Versions 4.4p1 up to, but not including 8.5p1 are not vulnerable to <strong>CVE-2024-6387</strong> thanks to a patch for CVE-2006-5051, which secured a previously unsafe function [1].</p><p>Versions older than 4.4p1 are vulnerable to <em>regreSSHion</em> unless they are patched for CVE-2006-5051 and CVE-2008-4109. OpenBSD systems are not impacted by this flaw thanks to a secure mechanism introduced back in 2001 [1].</p><p><strong>[New]</strong> Cisco has issued a security advisory confirming that the vulnerability is affecting multiple Cisco products. The list is available in Cisco's advisory [6].</p><h2 id=\"recommendations\">Recommendations</h2><p><strong>[Updated]</strong> CERT-EU recommends reviewing and applying the patches from Linux distribution security bulletins, including but not limited to:</p><ul><li>Ubuntu [3]</li><li>Debian [4]</li><li>RedHat [5]</li><li>Cisco [6]</li></ul><p>However, if it cannot be updated immediately, set the <code>LoginGraceTime</code> to 0 in the sshd configuration file, but note that this can expose the server to denial-of-service attacks [1]. It is also highly recommended restricting SSH access to only trusted hosts.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.bleepingcomputer.com/news/security/new-regresshion-openssh-rce-bug-gives-root-on-linux-servers/\">https://www.bleepingcomputer.com/news/security/new-regresshion-openssh-rce-bug-gives-root-on-linux-servers/</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server\">https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://ubuntu.com/security/CVE-2024-6387\">https://ubuntu.com/security/CVE-2024-6387</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://security-tracker.debian.org/tracker/CVE-2024-6387\">https://security-tracker.debian.org/tracker/CVE-2024-6387</a></p><p>[5] <a rel=\"noopener\" target=\"_blank\" href=\"https://access.redhat.com/security/cve/cve-2024-6387\">https://access.redhat.com/security/cve/cve-2024-6387</a></p><p>[6] <a rel=\"noopener\" target=\"_blank\" href=\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssh-rce-2024\">https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssh-rce-2024</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}