A critical flaw has been identified in OpenSSH, a widely-used suite of tools for remote administration of *nix systems. This bug allows an attacker without authentication to run arbitrary code on the compromised system and potentially gain root privileges. The vulnerability, dubbed “regreSSHion” and catalogued as CVE-2024-6387, poses a significant risk due to the extensive use of sshd (the OpenSSH server) across various operating systems, IoT devices, and firewalls. While the issue might seem as alarming as past incidents like WannaCry and Log4Shell, the reality is more nuanced. Extensive exploitation of this flaw is improbable. Nonetheless, it is imperative for all server administrators utilizing OpenSSH to promptly address this security hole.The OpenSSH utility set is nearly ubiquitous. It is a popular implementation of the SSH (secure shell) protocol and is integrated into most Linux distributions, OpenBSD, FreeBSD, and macOS, as well as specialized devices like those based on Junos OS. OpenSSH is also frequently found in various consumer electronics such as TVs, smart doorbells, baby monitors, network media players, and robotic vacuum cleaners, which often run on Linux systems. Additionally, starting with Windows 10, OpenSSH is available in Microsoft’s operating systems as an optional component, though it is not installed by default. It’s no exaggeration to say that sshd operates on tens of millions of devices worldwide

What is OpenSSH ?

The OpenSSH utility set is nearly ubiquitous. It is a popular implementation of the SSH (secure shell) protocol and is integrated into most Linux distributions, OpenBSD, FreeBSD, and macOS, as well as specialized devices like those based on Junos OS. OpenSSH is also frequently found in various consumer electronics such as TVs, smart doorbells, baby monitors, network media players, and robotic vacuum cleaners, which often run on Linux systems. Additionally, starting with Windows 10, OpenSSH is available in Microsoft’s operating systems as an optional component, though it is not installed by default. It’s no exaggeration to say that sshd operates on tens of millions of devices worldwide.

OpenSSH Affected Versions

  • OpenSSH versions earlier than 4.4p1 are vulnerable to this signal handler race condition unless they are patched for CVE-2006-5051 and CVE-2008-4109.
  • Versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable due to a transformative patch for CVE-2006-5051, which made a previously unsafe function secure.
  • The vulnerability resurfaces in versions from 8.5p1 up to, but not including, 9.8p1 due to the accidental removal of a critical component in a function.

How CVE-2024-638 is exploited ? 

 

During an SSH authentication attempt, users have a set time limit to complete the process, typically 120 seconds by default. If authentication fails within this period, the sshd server asynchronously triggers the special “sigalarm” function, which then calls system-level memory management functions in a manner unsafe for asynchronous execution. Under certain conditions, this can cause a race condition, leading to memory boundary violations and arbitrary code execution.

To exploit this vulnerability, an attacker would need to make around 10,000 attempts on average. The target system must be running on Linux versions using the GNU C Library (glibc), such as all Debian-based systems. Additionally, attackers must prepare memory structures tailored to the specific version of glibc and Linux being used. Researchers have successfully reproduced the attack on 32-bit Linux systems, though it is theoretically possible on 64-bit systems as well, albeit with a lower success rate. Address Space Layout Randomization (ASLR) slows down the exploitation process but does not entirely prevent it.

 

How to Identify ? 

 To identify if your system is vulnerable to the regreSSHion vulnerability (CVE-2024-6387), you can use the provided GitHub repository which contains a script to check for this specific issue.
 

 Clone the Repository:
Open your terminal and run the following command to clone the repository:

                 Github Repo: https://github.com/xaitax/CVE-2024-6387_Check 
 
Single IP Scan  – python CVE-2024-6387_Check.py 192.168.1.1
 
Multiple IP Scan – python CVE-2024-6387_Check.py -l targets.txt
 

Manually Identify

 If you prefer to manually check your OpenSSH version:

  1. Check OpenSSH Version: Run the following command to determine your OpenSSH version: 

        Command:  ssh -v 

    • Vulnerable Versions:

      • Earlier than 4.4p1 (unless patched for CVE-2006-5051 and CVE-2008-4109)
      • From 8.5p1 up to, but not including, 9.8p1

    • Non-vulnerable Versions:

      • 4.4p1 up to, but not including, 8.5p1
      • 9.8p1 and later

  • Check for Applied Patches: Verify if patches for CVE-2006-5051 and CVE-2008-4109 have been applied if your version is earlier than 4.4p1.