Two sentences: OpenSSH servers on glibc-based Linux systems are exposed to a critical signal handler race (RegreSSHion, CVE-2024-6387) that can allow unauthenticated remote code execution with root privileges. Palo Alto Networks Unit 42 notes no confirmed exploitation in the wild as of July 2, 2024 and recommends updating OpenSSH beyond 9.8p1, with multiple protections and detections available across Cortex XDR, Xpanse, Prisma Cloud, and related services. #CVE-2024-6387 #OpenSSH #RegreSSHion #Unit42 #CortexXDR #CortexXpanse #PrismaCloud #PAN-OS
Keypoints
- The CVE-2024-6387 vulnerability is a signal handler race condition in OpenSSH servers on glibc-based Linux systems, enabling unauthenticated remote code execution with root privileges.
- Affected OpenSSH versions include 8.5p1-9.8p1, and older versions (<4.4p1) if not backport-patched against CVE-2006-5051 or CVE-2008-4109.
- The SSH features in PAN-OS are not affected by CVE-2024-6387.
- Public PoC code exists, but testing indicates it is not functional and no confirmed exploitation in the wild as of July 2, 2024.
- Unit 42 and Prisma Cloud offer detections and mitigations, with Cortex XDR/XSIAM tooling and Xpanse exposure detection for vulnerable OpenSSH instances.
- Large-scale exposure data shows tens of millions of OpenSSH servers globally, with millions running vulnerable versions; backporting and configurations influence actual risk counts.
- Interim guidance: upgrade all OpenSSH instances to OpenSSH later than 9.8p1 and leverage Unit 42 support for investigations or proactive risk reductions.
MITRE Techniques
- [T1190] Exploit Public-Facing Application β The OpenSSH server on exposed glibc-based Linux systems is exploitable via a signal handler race condition enabling unauthenticated remote code execution. ββ¦This vulnerability can be exploited remotely on glibc-based Linux systems due to syslog() calling async-signal-unsafe functions like malloc() and free(), leading to unauthenticated remote code execution as root.ββ¦
- [T1068] Privilege Escalation β Successful exploitation results in remote code execution with root privileges, granting full control of the affected host. ββ¦unauthenticated remote code execution as root.ββ¦
Indicators of Compromise
- [URL] context β Official vulnerability notes and defenses referenced in the article: https://ubuntu.com/security/CVE-2024-6387, https://security.paloaltonetworks.com/CVE-2024-6387, https://start.paloaltonetworks.com/contact-unit42.html
- [CVE] context β CVE-2024-6387, CVE-2006-5051, CVE-2008-4109 β vulnerability identifiers cited in the discussion of affected/open backport patches
- [Software Version] context β OpenSSH versions affected: 8.5p1-9.8p1 and <4.4p1 (if not backport-patched) as described in the article
Read more: https://unit42.paloaltonetworks.com/threat-brief-cve-2024-6387-openssh/