{"id":22479,"date":"2024-09-01T10:01:00","date_gmt":"2024-09-01T17:01:00","guid":{"rendered":"https:\/\/portasftpserver.com\/?p=22479"},"modified":"2024-12-07T16:17:08","modified_gmt":"2024-12-08T00:17:08","slug":"regresshion-the-cve-2024-6387-unauthenticated-remove-code-execution-rce","status":"publish","type":"post","link":"https:\/\/portasftpserver.com\/regresshion-the-cve-2024-6387-unauthenticated-remove-code-execution-rce\/","title":{"rendered":"OpenSSH Server: CVE-2024-6387 (regreSSHion)"},"content":{"rendered":"\n<p class=\"sera-block-paragraph\">The Research Security Company (<a href=\"https:\/\/www.qualys.com\/tru\/\"><strong>Qualys <\/strong>Threat Research Unit<\/a>) discovered an SSHD vulnerability (NVD &#8211; CVE-2024-6387) that can lead the whole system to be compromised. The flaw derives from a race condition (Race Hazard), which leads the SSHD to handle signals unsafely when calling the component of <em><strong><a href=\"https:\/\/en.wikipedia.org\/wiki\/Glibc\" target=\"_blank\" rel=\"noreferrer noopener\">glibc<\/a><\/strong><\/em> a.k.a SIGALRM. The latter is asynchronous alarm-signaling (a standard GNU C library) that has a time interval that complements a thread-safe application. The flaw in SSHD can happen during back &amp; forth (traverse) authentication negotiation (but halting the session) in an asynchronous manner and calls the SIGALRM within a certain time frame created by an attacker (client).<\/p>\n\n\n\n<p class=\"sera-block-paragraph\">Furthermore, since the OpenSSH (SSHD) handles the signaling asynchronously, and if it has a lot of session calls (queues) that are not fully authenticated, and with the right timing, leads to race conditions as the breaking point. If this happens, this will allow an attacker to perform a buffer overflow in the program memory allocation. As for consequences, the attacker can advance for further escalation to execute a Remote Code Execution (RCE) as root through <em><strong><a href=\"https:\/\/en.wikipedia.org\/wiki\/Glibc\" target=\"_blank\" rel=\"noreferrer noopener\">glibc-based<\/a> Linux systems<\/strong><\/em> to take over the whole network or system. It determines that the successful exploit through the <em>glibc<\/em> is due to <em>syslog()<\/em>&nbsp;calling <strong>async-signal-unsafe<\/strong> functions like&nbsp;<em>malloc()<\/em>&nbsp;and&nbsp;<em>free()<\/em> which is essential in programming and software development that is critically responsible for Memory Management, Localization, and as well as <strong>Thread Safety<\/strong>.<\/p>\n\n\n\n<p class=\"sera-block-paragraph\">To elaborate, the <strong>async-signal-unsafe<\/strong> called by the <em>syslog() <\/em>has full access privilege to the system (it is not sandboxed). As a metaphor, in software development before deployment, it is good practice to create a classification of what portion of the application needs admin\/root permission and what is not. The developer can create an elevator executable file to be called as necessary by the application (invoker) to perform certain tasks that require higher privilege, which creates a separation of concern. A security-focused operating system <strong>OpenBSD <\/strong>for example, is not affected by the SIGALRM handler vulnerability as it uses the <em>syslog_r()<\/em> which is an async-signal-safe version of <em>syslog()<\/em>.<\/p>\n\n\n\n<p class=\"sera-block-paragraph\">Qualys research company named this &#8220;regreSSHion&#8221; because of the fact that it was identified as previously patched from CVE-2006-505 in 2006 but reinstated due to code updates in October 2020 (OpenSSH 8.5p1). To expound, when there is a code change due to new features, functions, or bug fixes, the developers perform a crucial <a href=\"https:\/\/en.wikipedia.org\/wiki\/Regression_testing\" target=\"_blank\" rel=\"noreferrer noopener\">regression analysis &amp; testing<\/a> (re-running functional and non-functional) to make sure all the software functionalities are properly working, and <strong>if not<\/strong>, that is <strong>called regression<\/strong>.<\/p>\n\n\n\n<h2 class=\"klc-block-heading sera-block-heading\">Who are Affected?<\/h2>\n\n\n\n<p class=\"sera-block-paragraph\">The following table shows the affected version of SSHD\/OpenSSH based on the Qualys Threat Research Team, this means that anyone who uses this version is vulnerable:<\/p>\n\n\n\n<figure class=\"klc-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td>Versions before than 4.4p1<\/td><td>Unless patched for CVE-2006-5051 and CVE-2008-4109.<\/td><\/tr><tr><td>Versions from 4.4p1 up to<\/td><td>Except 8.5p1 due to a transformative patch for CVE-2006-5051 (to secure the unsafe function)<\/td><\/tr><tr><td>Vulnerability reappeared from 8.5p1 up to<\/td><td>Except 9.8p1 because of the accidental removal of the critical function.<\/td><\/tr><tr><td><\/td><td><\/td><\/tr><\/tbody><\/table><figcaption class=\"klc-element-caption\"><em>Note.<\/em> OpenBSD systems are unaffected by this bug, as OpenBSD developed a secure mechanism in 2001 that prevents this vulnerability (Qualys, 2024).<\/figcaption><\/figure>\n\n\n\n<h2 class=\"klc-block-heading sera-block-heading\">Severity<\/h2>\n\n\n\n<p class=\"sera-block-paragraph\">Only Linux systems are vulnerable to the <strong><em>regreSSHion <\/em><\/strong>(<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-6387\">CVE-2024-6387<\/a>) and with a high <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-6387\" target=\"_blank\" rel=\"noreferrer noopener\">8.1\/10 severity score<\/a>. Though, the radius or aggregated counts, grouped by the most affected countries from version 8.5p1-9.7p1 are the following:<\/p>\n\n\n\n<figure class=\"klc-block-image size-full is-resized\"><img decoding=\"async\" src=\"https:\/\/portasftpserver.com\/sera-uploads\/2024\/08\/image-1.png\" alt=\"\" class=\"klc-image-22590\" style=\"width:956px;height:auto\"\/><\/figure>\n\n\n\n<p class=\"sera-block-paragraph\"><em>Note.<\/em> This image is borrowed from the <a href=\"https:\/\/unit42.paloaltonetworks.com\/threat-brief-cve-2024-6387-openssh\/\">paloaltonetworks.com<\/a> website (<a href=\"https:\/\/unit42.paloaltonetworks.com\/threat-brief-cve-2024-6387-openssh\/\">CVE-2024-6387 OpenSSH RegreSSHion Vulnerability<\/a>).<\/p>\n\n\n\n<h2 class=\"klc-block-heading sera-block-heading\">Current Scope of Attack<\/h2>\n\n\n\n<p class=\"sera-block-paragraph\">Palo Alto states that while there is a PoC attack (created by several contributors posted on GitHub) for the vulnerability, the only successful exploitation is shown on 32-bit Linux\/glibc systems with address space layout randomization (ASLR). It also stated that This exploitation typically requires 6-8 hours of continuous connections under lab conditions up to the server&#8217;s maximum capacity (<a href=\"https:\/\/unit42.paloaltonetworks.com\/threat-brief-cve-2024-6387-openssh\/\" data-type=\"link\" data-id=\"https:\/\/unit42.paloaltonetworks.com\/threat-brief-cve-2024-6387-openssh\/\" target=\"_blank\" rel=\"noreferrer noopener\">Palo Alto<\/a>, 2024). Currently, the PoC for the said CVE 2024-6387 is not sufficient to become successful in achieving the state for remote code execution (RCE), and there is no known activity in the wild as of July 2, 2024 &#8211; Palo Alto says. <\/p>\n\n\n\n<h2 class=\"klc-block-heading sera-block-heading\">Prevention<\/h2>\n\n\n\n<p class=\"sera-block-paragraph\">As gathered from different sources, it is good to always be on top for the sake of security posture. <a href=\"https:\/\/www.qualys.com\/apps\/vulnerability-management-detection-response\/\" data-type=\"link\" data-id=\"https:\/\/www.qualys.com\/apps\/vulnerability-management-detection-response\/\">Qualys Vulnerability Management, Detection, and Response (VMDR)<\/a> and Palo Alto Networks Product Protections (such as <a href=\"https:\/\/docs-cortex.paloaltonetworks.com\/p\/XDR\" target=\"_blank\" rel=\"noreferrer noopener\">Cortex XDR<\/a>&nbsp;and&nbsp;<a href=\"https:\/\/docs-cortex.paloaltonetworks.com\/p\/XSIAM\" target=\"_blank\" rel=\"noreferrer noopener\">XSIAM<\/a>) can help any organization to achieve that. In addition, there are also open-source security products (cost-free) that you can start implementing like <a href=\"https:\/\/www.pfsense.org\/download\/\" target=\"_blank\" rel=\"noreferrer noopener\">PfSense<\/a> and <a href=\"https:\/\/www.bing.com\/search?q=OPNsense&amp;gs_lcrp=EgZjaHJvbWUyBggAEEUYOTIGCAEQRRg9MggIAhDpBxj8VagCALACAA&amp;FORM=ANCMS9&amp;PC=W099\" target=\"_blank\" rel=\"noreferrer noopener\">OPNsense<\/a>. Both the former and the latter are very user-friendly and encompass different security controls such as Firewalls, DMZs, Multiwan Failover support, Virtual Private Networking, Hardware Failover, Intrusion Detection &amp; Prevention, Two-Factor Authentication, Web\/Filtering Filtering, and etc. <\/p>\n\n\n\n<h2 class=\"klc-block-heading sera-block-heading\">Conclusion<\/h2>\n\n\n\n<p class=\"sera-block-paragraph\">The RegreSSHion (<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-6387\">CVE-2024-6387<\/a>) is a vulnerability in the <strong>OpenSSH Server (SSHD)<\/strong> signal handler due to race conditions on glibc-based Linux systems. While this vulnerability has a CVSS 8.1 score there is no known activity since July 2, 2024, based on the <a href=\"https:\/\/unit42.paloaltonetworks.com\/threat-brief-cve-2024-6387-openssh\/\" data-type=\"link\" data-id=\"https:\/\/unit42.paloaltonetworks.com\/threat-brief-cve-2024-6387-openssh\/\" target=\"_blank\" rel=\"noreferrer noopener\">Palo Alto<\/a> unique IP Address scan results. However, it is very important to be reminded to not underestimate this vulnerability as this can lead to disaster situations if an attacker successfully intrudes on the system. Note that the Porta SFTP Server is not affected by this since it is not an OpenSSH Server BUT rather a Java network that runs through a Java Virtual Machine (JVM) that has enhanced security before code execution which is considered an additional layer of security.<\/p>\n\n\n\n<p class=\"sera-block-paragraph\"><\/p>\n\n\n\n<h4 class=\"klc-block-heading sera-block-heading\">References<\/h4>\n\n\n\n<p class=\"sera-block-paragraph\">Qualys.com (2024). <em>regreSSHion: Remote Unauthenticated Code Execution Vulnerability in OpenSSH server<\/em>. Retrieved from <a href=\"https:\/\/blog.qualys.com\/vulnerabilities-threat-research\/2024\/07\/01\/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server\">https:\/\/blog.qualys.com\/vulnerabilities-threat-research\/2024\/07\/01\/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server<\/a><\/p>\n\n\n\n<p class=\"sera-block-paragraph\"><\/p>\n\n\n\n<p class=\"sera-block-paragraph\">Paloaltonetworks.com (2024). <em>Threat Brief: CVE-2024-6387 OpenSSH RegreSSHion Vulnerability<\/em>. Retrieved from <a href=\"https:\/\/unit42.paloaltonetworks.com\/threat-brief-cve-2024-6387-openssh\/\">https:\/\/unit42.paloaltonetworks.com\/threat-brief-cve-2024-6387-openssh\/<\/a><\/p>\n\n\n\n<p class=\"sera-block-paragraph\"><br><strong>Logo attribution:<\/strong> Pixabay.com<br><br><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Research Security Company (Qualys Threat Research Unit) discovered an SSHD vulnerability (NVD &#8211; CVE-2024-6387) that can lead the whole system to be compromised. The flaw derives from a race condition (Race Hazard), which leads the SSHD to handle signals unsafely when calling the component of glibc a.k.a SIGALRM. The latter is asynchronous alarm-signaling (a [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":22482,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[143,124,253,206,140,1],"tags":[],"class_list":["post-22479","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-computer-protections","category-data-information-security","category-emails-files-security","category-learning-educations","category-operating-systems","category-programming-software"],"_links":{"self":[{"href":"https:\/\/portasftpserver.com\/sera-json\/wp\/v2\/posts\/22479","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/portasftpserver.com\/sera-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/portasftpserver.com\/sera-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/portasftpserver.com\/sera-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/portasftpserver.com\/sera-json\/wp\/v2\/comments?post=22479"}],"version-history":[{"count":192,"href":"https:\/\/portasftpserver.com\/sera-json\/wp\/v2\/posts\/22479\/revisions"}],"predecessor-version":[{"id":23974,"href":"https:\/\/portasftpserver.com\/sera-json\/wp\/v2\/posts\/22479\/revisions\/23974"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/portasftpserver.com\/sera-json\/wp\/v2\/media\/22482"}],"wp:attachment":[{"href":"https:\/\/portasftpserver.com\/sera-json\/wp\/v2\/media?parent=22479"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/portasftpserver.com\/sera-json\/wp\/v2\/categories?post=22479"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/portasftpserver.com\/sera-json\/wp\/v2\/tags?post=22479"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}