<?xml version="1.0" encoding="utf-8" standalone="yes"?><feed xmlns="http://www.w3.org/2005/Atom" xml:base="https://foundata.com/" xml:lang="en"><title>Cve-2024-6387 on foundata</title><id>https://foundata.com/en/tags/cve-2024-6387/feed-atom.xml</id><link rel="self" type="application/atom+xml" hreflang="en" href="https://foundata.com/en/tags/cve-2024-6387/feed-atom.xml" title="atom"/><link rel="alternate" type="text/html" hreflang="en" href="https://foundata.com/en/tags/cve-2024-6387/" title="html"/><link rel="alternate" type="application/rss+xml" hreflang="en" href="https://foundata.com/en/tags/cve-2024-6387/feed-rss.xml" title="rss"/><link rel="alternate" type="application/atom+xml" hreflang="de" href="https://foundata.com/de/tags/cve-2024-6387/feed-atom.xml" title="atom, Deutsch"/><link rel="alternate" type="text/html" hreflang="de" href="https://foundata.com/de/tags/cve-2024-6387/feed-atom.xml" title="html, Deutsch"/><link rel="alternate" type="application/rss+xml" hreflang="de" href="https://foundata.com/de/tags/cve-2024-6387/feed-atom.xml" title="rss, Deutsch"/><updated>2024-07-03T11:25:00Z</updated><author><name>foundata GmbH</name><email>webmaster@foundata.com</email><uri>https://foundata.com/</uri></author><rights>© 2023-2026, foundata GmbH (https://foundata.com)</rights><icon>https://foundata.com/images/feed-icon.67ff83c698af1511552374e80cf5f6ff26d497ef21f04186cf058859d535ca75.svg</icon><logo>https://foundata.com/images/feed-logo.9138f24a120dabc7e3d34003662131cc9c7f2ff153ec39d2f6dea3a48c35b4bf.svg</logo><entry><title type="html">OpenSSH Vulnerability: regreSSHion (CVE-2024-6387), Remote Code Execution (RCE)</title><id>tag:foundata.com,2024-07-01:/en/blog/2024/cve-2024-6387-regresshion-openssh-rce-vulnerability/</id><published>2024-07-01T11:50:00Z</published><updated>2024-07-03T11:25:00Z</updated><link href="https://foundata.com/en/blog/2024/cve-2024-6387-regresshion-openssh-rce-vulnerability/?utm_source=feed-atom" rel="alternate" type="text/html"/><link href="https://foundata.com/de/blog/2024/cve-2024-6387-regresshion-openssh-rce-sicherheitsluecke/?utm_source=feed-atom" rel="alternate" type="text/html" hreflang="de"/><link href="https://foundata.com/en/blog/2024/system-insights-command-line-lscpu-lsusb/?utm_source=feed-atom" rel="related" type="text/html" title="System insights with command-line tools: lscpu and lsusb"/><link href="https://foundata.com/en/blog/2024/quectel-em05-g-thinkpad-t14-gen4-fedora-linux/?utm_source=feed-atom" rel="related" type="text/html" title="Quectel EM05-G (LTE module) with ThinkPad T14 Gen4 on Fedora 39 and 40"/><link href="https://foundata.com/en/blog/2024/use-gpl-or-later/?utm_source=feed-atom" rel="related" type="text/html" title='Please use GPLv3 "or-later" instead of "only"'/><link href="https://foundata.com/en/blog/2024/aten-cv211-kvm-linux/?utm_source=feed-atom" rel="related" type="text/html" title="Using the ATEN CV211 (all-in-one KVM adapter) with Fedora Linux"/><link href="https://foundata.com/en/blog/2024/copyleft-open-source-licenses/?utm_source=feed-atom" rel="related" type="text/html" title="Use copyleft licenses for open source or life with the consequences"/><author><name>Andreas Haerter</name><uri>https://andreashaerter.com/</uri></author><summary type="html"><![CDATA[<p><strong>Long story short: Update your OpenSSH packages today, no matter what.</strong> The original <a href="https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt" target="_blank" rel="noreferrer noopener">Security Advisory by Qualsys</a> is worth a read and not to complicated to follow if you are interested in a bit of background information. A bit of a problem might be that this bug dropped literally the day after CentOS 8 and FreeBSD 13.2 went out of support (even though both seem to be unaffected).</p>]]></summary><content type="html" xml:base="https://foundata.com/"><![CDATA[<p><strong>Long story short: Update your OpenSSH packages today, no matter what.</strong> The original <a href="https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt" target="_blank" rel="noreferrer noopener">Security Advisory by Qualsys</a> is worth a read and not to complicated to follow if you are interested in a bit of background information. A bit of a problem might be that this bug dropped literally the day after CentOS 8 and FreeBSD 13.2 went out of support (even though both seem to be unaffected).</p>
<h2 id="mitigation" class="scroll-mt-20 md:scroll-mt-24 wrap-break-word group/heading "><a href="#mitigation" class="group-hover/heading:after:content-['#'] group-hover/heading:after:ml-1.5 group-hover/heading:after:text-content-400" id="mitigation">Mitigation</a></h2><p>If there are old boxes, make sure you apply proper firewalling to mitigate the issue. It seems that a exploit might need <em>a lot</em> of login tries on average to be successful without further optimizations. This might buy you a bit of time to patch everything today, even if the box was exposed to the public internet. Additionally, the exploit was only shown for 32-bit systems yet. There is a high probability that a yet-to-come exploit for 64-bit systems will be slower (=more login attempts needed on average for a successful hack).</p>
<p>If you cannot upgrade your system yet, the <a href="https://www.freebsd.org/security/advisories/FreeBSD-SA-24:04.openssh.asc" target="_blank" rel="noreferrer noopener">FreeBSD security advisory</a> states that setting <code>LoginGraceTime</code> to <code>0</code> <em>might</em> help:</p>
<blockquote>
<p>If sshd(8) cannot be updated, this signal handler race condition can be mitigated by setting LoginGraceTime to 0 in /etc/ssh/sshd_config and restarting sshd(8). This makes sshd(8) vulnerable to a denial of service (the exhaustion of all MaxStartups connections), but makes it safe from the remote code execution presented in this advisory.</p></blockquote>
<h2 id="systems-known-to-be-affected" class="scroll-mt-20 md:scroll-mt-24 wrap-break-word group/heading "><a href="#systems-known-to-be-affected" class="group-hover/heading:after:content-['#'] group-hover/heading:after:ml-1.5 group-hover/heading:after:text-content-400" id="systems-known-to-be-affected">Systems known to be affected</a></h2><ul>
<li><a href="https://access.redhat.com/security/cve/cve-2024-6387" target="_blank" rel="noreferrer noopener">Red Hat Enterprise Linux (RHEL) 9</a> (and therefore probably all CentOS 9 versions)</li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2024-6387" target="_blank" rel="noreferrer noopener">Debian 12 Bookwork</a></li>
<li><a href="https://ubuntu.com/security/notices/USN-6859-1" target="_blank" rel="noreferrer noopener">Ubuntu 22, 23 and 24</a></li>
<li>Potentially all systems with OpenSSH 8.5p1 up to 9.8; the first patched version is OpenSSH 9.8p1.</li>
<li>Potentially all systems with OpenSSH versions earlier than 4.4p1, as long as their respective distributions have not backported patches for <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5051" target="_blank" rel="noreferrer noopener">CVE-2006-5051</a> or <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5051" target="_blank" rel="noreferrer noopener">CVE-2026-5051</a>.</li>
</ul>
<p>The list is probably incomplete and will be updated as more confirmations are obtained. Do not forget to restart the <code>sshd</code> service (for example, it seems that there are otherwise issues with key exchange on Arch Linux).</p>
<h2 id="propably-unaffected-systems" class="scroll-mt-20 md:scroll-mt-24 wrap-break-word group/heading "><a href="#propably-unaffected-systems" class="group-hover/heading:after:content-['#'] group-hover/heading:after:ml-1.5 group-hover/heading:after:text-content-400" id="propably-unaffected-systems">Propably unaffected systems</a></h2><p>Even if your systems seem to be not affected in general: Update. Now. There will be a lot of research about this vulnerability and maybe new ways to exploit it will be discovered.</p>
<p>Currently not affected are:</p>
<ul>
<li>Red Hat Enterprise Linux (RHEL) 6, 7 und 8<sup id="fnref:1"><a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a></sup> (and therefore probably all related CentOS versions)</li>
<li>Debian 11 Bullseye<sup id="fnref:2"><a href="#fn:2" class="footnote-ref" role="doc-noteref">2</a></sup></li>
<li>FreeBSD<sup id="fnref:3"><a href="#fn:3" class="footnote-ref" role="doc-noteref">3</a></sup></li>
<li>OpenBSD<sup id="fnref:4"><a href="#fn:4" class="footnote-ref" role="doc-noteref">4</a></sup></li>
</ul>
<h2 id="links" class="scroll-mt-20 md:scroll-mt-24 wrap-break-word group/heading "><a href="#links" class="group-hover/heading:after:content-['#'] group-hover/heading:after:ml-1.5 group-hover/heading:after:text-content-400" id="links">Links</a></h2><p>Additional links and reports:</p>
<ul>
<li><a href="https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt" target="_blank" rel="noreferrer noopener">Qualys Security Advisory: regreSSHion: RCE in OpenSSH&rsquo;s server, on glibc-based Linux systems
(CVE-2024-6387)</a></li>
<li><a href="https://news.ycombinator.com/item?id=40843778" target="_blank" rel="noreferrer noopener">Hacker News Thread about (CVE-2024-6387)</a></li>
</ul>
<div class="footnotes" role="doc-endnotes">
<hr>
<ol>
<li id="fn:1">
<p>From the <a href="https://access.redhat.com/security/cve/cve-2024-6387" target="_blank" rel="noreferrer noopener">Red Hat: CVE-2024-6387</a> advisory: &ldquo;This flaw doesn&rsquo;t affect the OpenSSH versions as shipped with Red Hat Enterprise Linux 6, 7 and 8 as the vulnerability was introduced by a regression in upstream on OpenSSH 8.5p1 which is newer then shipped with the mentioned Red Hat Enterprise Linux versions.&rdquo;&#160;<a href="#fnref:1" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p>
</li>
<li id="fn:2">
<p>See <a href="https://security-tracker.debian.org/tracker/CVE-2024-6387" target="_blank" rel="noreferrer noopener">https://security-tracker.debian.org/tracker/CVE-2024-6387</a>.&#160;<a href="#fnref:2" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p>
</li>
<li id="fn:3">
<p>See <a href="https://www.freebsd.org/security/advisories/FreeBSD-SA-24:04.openssh.asc" target="_blank" rel="noreferrer noopener">https://www.freebsd.org/security/advisories/FreeBSD-SA-24:04.openssh.asc</a>. Unclear situation but not glibc based and the <code>syslog</code> code looks as if it doesn&rsquo;t do anything that corrupts the state if called from a signal handler. Patch in doubt.&#160;<a href="#fnref:3" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p>
</li>
<li id="fn:4">
<p>From the <a href="https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt" target="_blank" rel="noreferrer noopener">Qualsys advisory</a>: &ldquo;OpenBSD is notably not vulnerable, because its <code>SIGALRM</code> handler calls <code>syslog_r()</code>, an async-signal-safer version of <code>syslog()</code> that was invented by OpenBSD in 2001.&rdquo; Additionally, not glibc based.&#160;<a href="#fnref:4" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p>
</li>
</ol>
</div>
]]></content><category scheme="taxonomy:tags" term="cve-2024-6387" label="cve-2024-6387"/><category scheme="taxonomy:tags" term="openssh" label="openssh"/><category scheme="taxonomy:tags" term="security" label="security"/></entry></feed>