• regreSSHion: Remote Unauthenticated Code Execution Vulnerability in OpenSSH serv

    Home » Forums » Cyber Security Information and Advisories » Cyber Security for Business users » regreSSHion: Remote Unauthenticated Code Execution Vulnerability in OpenSSH serv

    • This topic has 2 replies, 2 voices, and was last updated 10 months ago.
    Author
    Topic
    #2684753
    From Twitter/X:

    This is a really interesting vulnerability, but *the Internet is not on fire.* Please read the actual advisory before spreading FUD. If you can’t understand the original advisory, please get someone to explain it to you. In short, the exploit has only been proven against x86 versions – NOT x64. That’s important because finding the right address to return to in x64 is exponentially harder in x64 than x86. This is definitely a “don’t delay patching” moment, but not a “OMG, get an outage window NOW” moment. Monitor for updates though, that could change (though highly unlikely IMO). This is also a great time to talk about zero trust. The foundational principle here is “deny all, permit by exception.” Most orgs don’t need SSH open to the whole Internet. Yes, ACLs are a pain to use. But you’re getting a lot back in security. That’s true for times like these, but it’s also makes credential compromises harder to meaningfully exploit. As an aside, if you can’t do IP ACLs for SSH (and everyone *can*, it’s just a question of overhead to maintain), consider changing the default port for SSH. In some testing, that’s dropped my failed login attempts by more than 95% (98%+ if you don’t make it something obvious like 2200, 2222, or 2022). Finally, let’s talk monitoring. It took @qualys  researchers about a week to get a root shell. And that’s for the x86 version (which again, is infinitely easier to trigger than in x64). So even if you can’t just allow list a few IP addresses, you can for sure block list IPs that are hammering your server with ~10,000 exploit attempts. And before someone says “but Jake, what if they use a distributed network” – okay, but still block the obviously malicious IPs? Great work by the Qualys team. There aren’t many that can turn something like this into RCE – even in controlled environments.

    Susan Bradley Patch Lady/Prudent patcher

    Viewing 0 reply threads
    Author
    Replies
    • #2684965

      The vulnerability, which is a signal handler race condition in OpenSSH’s server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems; that presents a significant security risk. This race condition affects sshd in its default configuration.

      Does this vulnerability affect macOS or Windows?

      While it is likely that the vulnerability exists in both macOS and Windows, its exploitability on these platforms remains uncertain. Further analysis is required to determine the specific impact.

      • #2687207

        Is Microsoft Windows vulnerable to CVE-2024-6387?

        No, Microsoft Windows is not affected by this vulnerability. Although Windows contains an OpenSSH component, the vulnerable code cannot be exploited or controlled by an adversary.

        CVE-2024-6387 Security Vulnerability

    Viewing 0 reply threads
    Reply To: regreSSHion: Remote Unauthenticated Code Execution Vulnerability in OpenSSH serv

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: