What you need to know about regreSSHion: an OpenSSH server remote code execution vulnerability (CVE-2024-6387)

On 1 July 2024 we released a fix for the high-impact CVE-2024-6387 vulnerability, nicknamed regreSSHion, as part of the coordinated release date (CRD). Discovered and responsibly disclosed by Qualys, the unauthenticated, network-exploitable remote code execution flaw affects the OpenSSH server daemon (sshd) starting with version 8.5p1 and before 9.8p1. As for the versions distributed and supported by Ubuntu, this only affected the 22.04 LTS, 23.10 and 24.04 LTS releases – patched packages were made available to all users on the CRD. Older security-maintained releases, including those under ESM or Legacy Support (14.04 LTS, 16.04 LTS, 18.04LTS and 20.04 LTS) were unaffected, as they contain prior versions of the software that did not contain the affected code. If you’re running an OpenSSH server on a version that was affected, our recommendation is that you update as soon as possible. Read on to learn more about this CVE and how you can apply the fix.

Details

This vulnerability stems from the fact that an async-signal-unsafe function is called from a signal handler, specifically the one called when LoginGraceTime expires. Hitting a race condition, one made considerably harder by Address Space Layout Randomisation (ASLR), allows a malicious actor to execute arbitrary code as root. The name given by the researchers alludes to the fact that this is essentially a regression of a previous vulnerability, tracked as CVE-2006-5051, which had been fixed in OpenSSH 4.4p1, 18 years ago.  Despite this lapse, the Qualys report praises the defence-in-depth design, great track-record and overall security posture of the OpenSSH project, further underlining that software security issues are a fact of life, one that needs to be handled through a strong vulnerability management policy.

It should be noted that the researchers suspect that an unrelated patch only included in the Ubuntu 23.10 and 24.04 LTS releases prevents the service from being exploitable; however, we still advise that the updated package be installed.

Who is affected

An attacker with network access to a vulnerable sshd service may be able to exploit this race condition, without needing any credentials, hence the high severity associated – any SSH service accessible over the internet would be a prime target for such an attack. Qualys’ researchers have been able to demonstrate a proof-of-concept on the i386 architecture, but amd64 (x86-64) deployments are also at risk, with the caveat that it is believed to be more difficult to exploit due to the more effective utilisation of ASLR on this architecture. While this emphasises the benefits of a defence-in-depth approach to cybersecurity, with network access control used to restrict access to sensitive services, the strong recommendation is to upgrade to the patched versions as soon as possible.

How to address CVE-2024-6387

Upgrading the openssh-server package is sufficient, as this will restart the daemon process, as well:

sudo apt update && sudo apt install openssh-server

Users of Ubuntu Pro can also use the pro fix command:

sudo pro fix CVE-2024-6387

It should be noted that all Ubuntu releases from 16.04 LTS onwards enable the unattended-upgrades service which automatically checks for, and installs, any unapplied security updates every 24 hours. As such, this update was automatically rolled out within 24 hours of the updates being released at the CRD.

Mitigation

As the problematic code is only reached when the LoginGraceTime signal-based timer fires, this vulnerability can be eliminated by setting this configuration option to 0 (indefinite). However, please note that this leaves sshd vulnerable to a denial of service attack instead, through the exhaustion of all MaxStartups connections; therefore, the recommendation is to upgrade to the patched version.

If you wish to continue with this mitigation, you can issue the following commands:

echo "LoginGraceTime 0" | sudo tee /etc/ssh/sshd_config.d/cve-2024-6387.conf
sudo systemctl reload ssh.service

References

For more information, please refer to:

https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
https://ubuntu.com/security/CVE-2024-6387
https://ubuntu.com/security/notices/USN-6859-1
https://www.cve.org/CVERecord?id=CVE-2024-6387