PoCs Released for High Severity Vulnerability, CVE-2024-6387, in OpenSSH

Proof-of-Concept Released – OpenSSH – CVE-2024-6387 – Unauthenticated Remote Code Execution – All Industries

The Rundown

Several unauthenticated remote code execution (RCE) proof-of-concept exploits have been released for a high-severity vulnerability (CVE-2024-6387, CVSS: 8.1), dubbed “regreSSHion” by Qualys, that impacts OpenSSH servers in glibc-based Linux systems.

The OpenSSH vulnerability CVE-2024-6387 poses a significant threat due to its ability to allow unauthenticated remote code execution. Due to several PoCs arriving in the threat landscape, the likelihood of exploitation is high, and the potential impacts are severe, necessitating immediate patching and continuous monitoring to prevent possible breaches and ensure system integrity.

• An attacker could execute arbitrary code with the highest privileges, resulting in a complete system compromise, installation of malware, data manipulation, and the creation of backdoors for persistent access.
• It could also facilitate lateral movement, allowing attackers to traverse and exploit other vulnerable systems within the organization.
• Gaining root access could enable attackers to bypass critical security mechanisms to obscure their activities and access to all data on the system, including sensitive or proprietary information that could be stolen or publicly disclosed.

If you have questions or feedback about this intelligence, you can submit them here.

Vulnerability Details:

CVE-2024-6387 is a signal handler race condition vulnerability that allows for unauthenticated remote code execution in OpenSSH on glibc-based Linux systems. This vulnerability is due to changes or updates that inadvertently reintroduced in October 2020 (OpenSSH 8.5p1) the previously patched CVE-2006-5051.  

• OpenSSH versions from 8.5p1 up to, but not including, 9.8p1 are vulnerable.
• OpenSSH versions earlier than 4.4p1 are vulnerable unless they are patched for CVE-2006-5051 and CVE-2008-4109.
• Versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable due to a transformative patch for CVE-2006-5051.
• OpenBSD systems are unaffected.

But, Qualys points out that this vulnerability is difficult to exploit due to its remote race condition nature, which may require multiple attempts for a successful attack. 

• In Qualys’s technical write-up, they stated “it takes 10,000 tries to win the race condition” and can take anywhere from a few hours to a week to obtain a root shell.
• Multiple attempts may cause memory corruption and necessitate overcoming Address Space Layout Randomization (ASLR). 
• However, AI and ML may significantly increase the exploitation rate, potentially providing attackers with a substantial advantage in leveraging such security flaws.

Scale of the threat:

Based on searches using Censys and Shodan, Qualys has identified over 14 million potentially vulnerable OpenSSH server instances exposed to the Internet. 

• Qualys internal data reveals that approximately 700,000 external internet-facing instances are vulnerable, accounting for 31% of all internet-facing instances with OpenSSH in their global customer base.

Public exploit code:

Within hours of Qualys publishing their discovery and technical details of the vulnerability, Deepwatch identified several proof-of-concept (PoC) for CVE-2024-6387 on GitHub. Even if some of these PoCs do not work, it provides attackers with a detailed guide to exploit the vulnerability.

Actions & Recommendations

The OpenSSH vulnerability (CVE-2024-6387) requires immediate and strategic actions to mitigate the identified risks and protect organizational Linux assets. Here are key actions and recommendations you should implement to enhance cyber resilience:

• Apply available patches for OpenSSH and prioritize ongoing update processes.
• Limit SSH access through network-based controls.
• Segment networks to restrict unauthorized access and lateral movements within critical environments.
• Deploy systems to monitor and alert on unusual activities indicative of exploitation attempts.

In addition, the Adversary Tactics and Intelligence team uses this intelligence report to improve our correlation rules and detections and conduct threat hunting. However, due to limitations in log sources received by Deepwatch, not all activity can be monitored.

Threat Hunting Guidance

We recommend that all customers retrospectively hunt for malicious activity, which will likely indicate compromise, using the Be On the Lookout (BOLO) guidance provided below:

• Rare/anomalous inbound network traffic to impacted appliances/services
  • Exploitation attempts will likely involve a large amount of inbound SSH traffic over multiple hours or longer (22/TCP).
• Rare/anomalous process execution, especially relating to OpenSSH/SSH processes
  • As is the case with most RCE-enabled vulnerabilities, arbitrary code often spawns under the executable/process of the vulnerable application (sshd in this case).
• Rare/anomalous outbound network connections from impacted appliances or internal/lateral connection attempts that may indicate C2 or lateral movement
• Rare/anomalous entries in /var/log/auth.log or general SSH logs referencing “preauth” or “message authentication code incorrect”
  • Various versions of Proof-of-Concept (POC) code were compiled and executed against multiple vulnerable systems in a lab environment (Linux) and both systems displayed identical logs in /var/log/auth.log as shown below. It is important to note that these log entries are not an indication of successful exploitation, rather a starting point for hunting and identification of systems that may be targeted.
  • The log entries also include information about the system attempting the exploit which (in conjunction with firewall data) may aid in identifying necessary blocking actions to mitigate risk.
  • In the example, there are two pairs of log entries, each pair represents an attempted exploit (each is from a different victim machine to demonstrate the entry was not unique to a single victim/operating system).

2024-07-01T14:54:13.043958-04:00 <VICTIM_HOSTNAME>  sshd[66726]: padding error: need 37 block 8 mod 5 [preauth]

2024-07-01T14:54:13.045197-04:00 <VICTIM_HOSTNAME> sshd[66726]: ssh_dispatch_run_fatal: Connection from <ATTACKER_IP> port 43226: message authentication code incorrect [preauth]

2024-07-01T19:38:34.064175+00:00 <VICTIM_HOSTNAME> sshd[2030]: padding error: need 37 block 8 mod 5 [preauth]

2024-07-01T19:38:34.064621+00:00 <VICTIM_HOSTNAME> sshd[2030]: ssh_dispatch_run_fatal: Connection from <ATTACKER_IP> port 58018: message authentication code incorrect [preauth]

↑