07.02.2024

Critical OpenSSH Vulnerability Leads To Remote Code Execution On Victim Machine (CVE-2024-6387)

Alert
  • facebook share link
  • twitter share link
  • linkedin share link
  • mail share link

Date of Notice: 07/02/2024

Action Level - Critical

Description

It was reported this week that certain OpenSSH versions were vulnerable to remote code execution. The vulnerability predominantly impacts Linux/Unix-based systems, specifically impacting the glib-C library on Linux/Unix based systems. The RCE is a regression of the previously patched vulnerability CVE-2006-5051, which was reported in 2006. Those researching this vulnerability stated that, “the vulnerability is challenging to exploit due to its remote race condition nature requiring multiple attempts for a successful attack. This can cause memory corruption and necessitates overcoming Address Space Layout Randomization (ASLR).”

Impacted Versions

  • OpenSSH versions earlier than 4.4p1
  • OpenSSH versions 8.5p1 up to, but not including, 9.8p1
  • Any vendor appliances utilizing OpenSSH. You will need to reference specific vendor guidance to determine if this vulnerability has been closed by some mitigating control or via backporting a patch.

Attack Vector

This vulnerability can be exploited remotely without authentication, posing a significant risk as it affects the default configuration and does not require user interaction.

Attack Feasibility 

Exploitation is challenging due to its remote race condition nature, requiring multiple attempts for success. While mass exploitation of this vulnerability is highly improbable, targeted attempts against a specific server/device are much more likely (a run through of the vulnerability can be found here).

Mitigation

If using an impacted version and unable to immediately patch, organizations should: 

  • Use network-based controls to limit SSH access
  • Segment networks to restrict unauthorized access and lateral movements
  • Deploy systems to monitor and alert on unusual activities indicative of exploitation attempts.

Remediation

Update OpenSSH to a fixed version immediately.

  • Apply patches for versions earlier than 4.4p1 if not already patched for CVE-2006-5051 and CVE-2008-4109
  • Upgrade to version 9.8p1 or later

Other Resources

MCNC
PO Box 12889
3021 East Cornwallis Road
RTP, NC 27709-2889
919-248-1900 Phone | 919-248-1101 Fax
Connect With Us
  • linkedin
  • instagram
  • x
  • facebook
  • youtube
© 2024 MCNC