Updated:
Status:
CVEs:
Fortra is actively researching a new vulnerability in OpenSSH dubbed “regreSSHion”. This remote code execution vulnerability – CVE-2024-6387 – could allow an unauthenticated remote attacker to execute arbitrary code as root. Fortra recommends updating sshd as soon as possible to mitigate this threat.
Who is affected?
Customers using the following versions of OpenSSH may be affected:
- Versions of OpenSSH up to 4.4p1, unless patched for CVE-2006-5051 and CVE-2008-4109
- Versions of OpenSSH from 8.5p1 before 9.8p1
Note: OpenBSD systems are not affected.
What can I do?
It is recommended to update to sshd version 9.8p1.
If immediate updating is not possible, administrators can set the login timeout to zero (LoginGraceTime=0 in sshd_config) as a temporary mitigation. However, this configuration can make the SSH server more susceptible to DDoS attacks.
How is Fortra helping me?
Fortra is actively researching this threat to build detection capabilities. The following detection is currently available.
Alert Logic Log Management: Alert Logic has deployed and is actively monitoring log telemetry related to known IOCs.
Alert Logic Vulnerability Scanning: Alert Logic released agent-based scan coverage on July 3, 2024, authenticated scan detection on July 4, and unauthenticated scan detection on July 8. If the vulnerability is found, an exposure (EID: 271298) will be raised for CVE-2024-6387.
FortraVM: Fortra released two authenticated scan checks for Linux and a remote banner-based check on July 3, 2024, via scanner version 4.45.1. The remote-based banner check requires that “Include potential CVCs” be toggled On.
If the vulnerability is found, one or more of the following vulnerabilities will be raised:
- Vulnerability 160116: [USN-6589-1] OpenSSH vulnerability
- Vulnerability 160119: [ELSA-2024-12468] opensh security update
- Vulnerability 160109: OpenSSH Remote Code Execution vulnerability
Tripwire IP360: Tripwire released authenticated scan coverage on July 8, 2024, to identify vulnerable instances. If the vulnerability is found, vulnerabilities 644451, 644449, 644435, 644434, 644421, 644179, 643921, 643719, or 643641 will match for CVE-2024-6387.
Updates
Fortra has kicked off the Emerging Threats process for this vulnerability. This article will be updated with new information about this vulnerability and related security coverage as it becomes available.
07/03/2024: Alert Logic released agent-based scan coverage, and FortraVM released authenticated and banner-based scan checks.
07/04/2024: Alert Logic released authenticated scan coverage.
07/08/2024: Alert Logic released unauthenticated scan coverage, and Tripwire released authenticated scan coverage.
