Vulnerability remediation and mitigationCVE-2024-6387
Qualys Threat Research Unit (TRU) has detailed a severe security flaw named 'regreSSHion' that leaves millions of Linux systems vulnerable to remote code execution (RCE). Identified as CVE-2024-6387 and discovered in May 2024, this vulnerability affects the OpenSSH server (sshd) on glibc-based Linux systems, allowing unauthenticated attackers to gain root access and take full control of affected machines.
“This bug marks the first vulnerability in OpenSSH in almost two decades — an unauthenticated RCE that grants root access. It affects the default configuration and requires no user interaction, posing a significant risk of exploitation,” notes the Qualys research group.
Qualys has also published a more technical article that delves into the exploitation process and possible mitigation strategies.
The regreSSHion flaw affects OpenSSH servers on Linux from version 8.5p1 up to, but not including, 9.8p1. Versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable to CVE-2024-6387 due to a patch for CVE-2006-5051, which secured a previously unsafe function. Versions prior to 4.4p1 are vulnerable to this regression unless patched for CVE-2006-5051 and CVE-2008-4109.
There is already a proof-of-concept (PoC) available for this vulnerability, and it is possible to search for vulnerable servers on the internet.
CVE-2024-6387 affects earlier versions of OpenSSH and can be fixed by updating to the latest version. This tutorial will guide you through the process of downloading, compiling, and installing the latest version of OpenSSH, ensuring your installation is secure against this vulnerability.
First, we will download and prepare the compilation of the latest OpenSSH version.
Run the following commands to update your system and install the necessary dependencies:
apt update
apt install build-essential zlib1g-dev libssl-dev libpam0g-dev libselinux1-dev wget -yNavigate to the /usr/local/src directory and download the latest OpenSSH package:
cd /usr/local/src
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz
tar -xzf openssh-9.8p1.tar.gz
cd openssh-9.8p1Now, we will compile and install OpenSSH:
./configure
make
make installAfter installation, verify the OpenSSH version to ensure the update was successful:
/usr/local/bin/ssh -VEnsure the new OpenSSH is in the correct PATH.
Add /usr/local/bin to the PATH:
export PATH=/usr/local/bin:$PATHAdd this line to your profile file (~/.bashrc or ~/.profile) to make it permanent:
echo ‘export PATH=/usr/local/bin:$PATH’ >> ~/.bashrc
source ~/.bashrcRestart the SSH service to ensure it is using the new version. Be very careful not to disrupt your current SSH connection:
systemctl restart sshBy following these steps, you have secured your OpenSSH installation against the critical CVE-2024-6387 vulnerability. Stay vigilant and ensure your systems are always up-to-date with the latest security patches.