regreSSHion
July 1, 2024. Qualys publishes a working unauthenticated RCE against the OpenSSH server, a regression of an 18-year-old CVE that quietly returned in 2020. Your fleet runs sshd on every host.
Briefing
Qualys disclosed CVE-2024-6387, 'regreSSHion'. It is an unauthenticated RCE against sshd as root, on glibc-based Linux. It is a regression of CVE-2006-5051: a signal handler race condition that was fixed in 2006, then accidentally reintroduced in OpenSSH 8.5p1 (October 2020). Versions 4.4p1 → 8.5p1 are not affected. 8.5p1 → 9.7p1 are affected. OpenBSD's sshd is not affected because of an unrelated SIGALRM handler. The exploit takes ~6–8 hours of connection attempts on amd64 to win the race. That is the window you have.
Your role
On-call engineer for a small fleet of glibc-based Linux bastions and edge boxes. The advisory dropped fifteen minutes ago.
Objective
Find out which of the boxes you can reach are exposed, and apply the same-day config mitigation while the patch waits in change control.
Terminal environment
- user
- responder
- host
- edge-bastion-01
- cwd
- /home/responder
- steps
- 5
Safety note. This is a safe reconstruction. All systems, files, hosts, credentials, and outputs are simulated. Do not use these techniques on systems you do not own or have explicit permission to test.