1 in 3 OpenSSH Servers Are Vulnerable – Protect Yourself Against CVE-2024-6387
A critical security vulnerability, identified as CVE-2024-6387, has been discovered in the OpenSSH server. This widespread vulnerability poses a significant threat to millions of systems globally. Dubbed “RegreSSHion,” this vulnerability enables remote unauthenticated code execution, potentially allowing attackers to gain unauthorized access and control over affected systems.
Overview of CVE-2024-6387
The flaw resides in signal handler race conditions in glibc-based Linux systems. An unauthenticated, remote attacker can exploit this race condition by sending specially crafted packets to the server. This can lead to executing arbitrary code with root privileges.
According to the research, this issue affects over 14 million instances, 31% of all internet-facing instances. Exploiting this bug would take an attacker between 6-8 hours in a lab environment against a 32-bit Linux OS. If attackers are given the opportunity, they will most likely discover a way to exploit systems that haven’t been patched.
Affected Versions
The vulnerability affects OpenSSH versions 8.5p1 through 9.8p1 (excluded). Because this is a regression issue, OpenSSH versions before 4.4p1 may be vulnerable unless patched for CVE-2006-5051 and CVE-2008-4109.
Although the vulnerability is likely to exist on both macOS and Windows, its exploitability remains uncertain. This issue does not affect the OpenBSD system, which developed a secure mechanism in 2001 to prevent this vulnerability from occurring.
Mitigation Recommendations
We recommend the following mitigation strategies to protect against CVE-2024-6387:
- Monitor Systems: Implement ASPM processes for robust monitoring and detection of used OpenSSH servers in the organization. As we show below, this is done through extensive SBOM capabilities and code analysis capabilities from code to cloud.
- Update OpenSSH: The OpenSSH development team has released a patch addressing this issue. Users and administrators are strongly urged to update their OpenSSH server to version 9.8p1 or later. For more information, see OpenSSH security.
- Set LoginGraceTime to 0: If the OpenSSH server can’t be updated, an alternative mitigation is to set the “LoginGraceTime” configuration value to “0” in the OpenSSH config file and restart the “sshd” service. Setting this value can expose the server to denial of service but prevents the risk of remote code execution.
- Network Segmentation: Limit SSH access to trusted networks and users to reduce exposure.
Detect and Remediate Through the Cycode Platform
Cycode offers a complete ASPM platform that effectively helps customers detect and remediate this vulnerability through our code-to-cloud analysis and powerful native scanners. We provide two main remediation strategies for the OpenSSH server vulnerability:
1. Code Analysis: By identifying OpenSSH server installations used in development workflows, such as Dockerfiles, Cycode can determine whether these images need updating or rebuilding. This allows organizations to detect and remediate vulnerabilities early by assigning the task to the appropriate team members (for example, the repository owner).
2. Container Scanning: Cycode’s container scanning builds a Software Bill of Materials (SBOM) for each image and checks it against known vulnerabilities, including CVE-2024-6387. Detected vulnerabilities are flagged on the violation page for prompt action.
These mitigation strategies are available on the Cycode threat intelligence dashboard, providing comprehensive visibility and actionable insights to enhance security posture.
How Cycode Protects Against CVE-2024-6387
The impact of CVE-2024-6387 is expected to be significant both due to its severity and its widespread use. Though no exploits have yet been publicly reported, we anticipate it is only a matter of time for organizations that fail to take preventative steps are affected. The good news is that Cycode can help mitigate and remediate vulnerabilities like CVE-2024-6387.
Cycode is the leading Application Security Posture Management (ASPM) providing peace of mind to its customers. Its Complete ASPM platform scales and standardizes developer security without slowing down the business to deliver safe code, faster.
The platform can replace existing application security testing tools or integrate with them while providing cyber resiliency through unmatched visibility, risk driven prioritization, and just in-time remediation of code vulnerabilities as scale. Cycode’s Risk Intelligence Graph (RIG), the ‘brain’ behind the platform, provides traceability across the entire SDLC through natural language.
To learn more about how our AI-driven detection and continuous scanning can transform your organization’s approach to managing material code changes book a demo now.
