On July 1, 2024, a fix was released for the critical CVE2024-6387 vulnerability, also known as regreSSHion, as part of the coordinated release date (CRD). This vulnerability, discovered and responsibly disclosed by Qualys, is an unauthenticated, network-exploitable remote code execution flaw affecting the OpenSSH server daemon (sshd) from versions 8.5p1 to 9.8p1.
For Ubuntu users, the vulnerability impacted the 22.04 LTS, 23.10, and 24.04 LTS releases. Patched packages were made available to all users on the CRD. Older security-maintained releases, such as those under Extended Security Maintenance (ESM) or Legacy Support—including Ubuntu 14.04 LTS, 16.04 LTS, 18.04 LTS, and 20.04 LTS—were unaffected as they use earlier versions of OpenSSH that do not contain the vulnerable code. If your OpenSSH server is running an affected version, it is strongly recommended to update immediately. Read on to learn more about this vulnerability and how you can apply the necessary fix.
Understanding the Vulnerability
The CVE-2024-6387 vulnerability arises due to an async-signal-unsafe function being called from a signal handler, specifically triggered when the LoginGraceTime timer expires. This results in a race condition, which, despite being challenging to exploit due to Address Space Layout Randomization (ASLR), allows malicious actors to execute arbitrary code as root. The vulnerability is named regreSSHion because it resembles a prior issue, CVE-2006-5051, that was fixed 18 years ago in OpenSSH 4.4p1.
Despite this being a regression, the Qualys report praised the OpenSSH project’s defense-in-depth design, security posture, and track record, emphasizing that software security issues are an inherent reality requiring robust vulnerability management strategies.
Researchers also noted that an unrelated patch in Ubuntu 23.10 and 24.04 LTS likely prevents exploitation. However, upgrading to the patched package remains the recommended action.
Who is Affected?
Any instance of a vulnerable sshd service accessible over a network could be exploited without needing authentication. This makes it a particularly severe vulnerability and a prime target for attackers. Qualys demonstrated a proof-of-concept on the i386 architecture, while amd64 (x86-64) deployments are also vulnerable, although they are harder to exploit due to more effective ASLR.
This underscores the importance of a defense-in-depth approach to cybersecurity, which includes network access controls to restrict sensitive services. However, upgrading to the patched versions is the best protection against this vulnerability.
How to Address CVE-2024-6387
Upgrading the openssh-server package to the patched version is required to address this vulnerability and will restart the daemon process. Execute the following command in your terminal:
sudo apt update && sudo apt install openssh-serverUsers of Ubuntu Pro can also use the pro fix command:
sudo pro fix CVE-2024-6387All Ubuntu releases from 16.04 LTS onwards have the unattended-upgrades service enabled by default. This service automatically checks for and installs any unapplied security updates every 24 hours. As such, this update was automatically deployed within 24 hours of the CRD.
Mitigation
Setting the LoginGraceTime configuration option to 0 (indefinite) can mitigate the vulnerability, although it leaves sshd susceptible to denial-of-service attacks through the exhaustion of all MaxStartups connections. Therefore, upgrading to the patched version is strongly recommended.
If you choose to mitigate by altering the configuration, issue the following commands:
echo "LoginGraceTime 0" | sudo tee /etc/ssh/sshd_config.d/cve-2024-6387.conf
sudo systemctl reload ssh.serviceReferences
For more detailed information, please refer to the following resources:
- Qualys Report on regreSSHion
- Ubuntu Security Advisory on CVE-2024-6387
- Ubuntu Security Notices: USN-6859-1
- CVE Details from CVE.org
Stay vigilant and ensure your systems are updated to mitigate any security risks. For further assistance or questions, feel free to reach out.