VyOS Networks Blog

Building an open source network OS for the people, together.

CVE-2024-6387 (regreSSHion)

Daniil Baturin
Posted 1 Jul, 2024

Hello, Community!

Today Qualys's security team has disclosed a remotely exploitable vulnerability in OpenSSH server. It was assigned CVE-2024-6387 number and nicknamed "regreSSHion" because its cause is an accidental removal of code that fixed a much earlier vulnerability back in 2006. It affects OpenSSH versions older than 4.4p1 and versions between 8.5p1 and 9.8p1. VyOS 1.3.8 includes OpenSSH 7.9p1 and thus isn't vulnerable. VyOS 1.4.0 includes 9.2p1 and will need a patch to remain secure.

The vulnerability is potentially dangerous because it allows an unauthenticated, remote attacker to gain a root shell on any vulnerable system. However, don't panic just yet. The cause is a race condition in signal handling, and it's not enough to just send a specially-crafted packet like in the famous scene from Matrix Reloaded. Successful exploitation requires a lot of luck, and the condition is so unlikely that it took the researchers 6 to 8 hours of constant attempts to compromise a target.

The second factor is that it was only successfully exploited on 32-bit x86 systems with much weaker ASLR (Address Space Layout Randomization) than modern x86-64 machines, and there is no working proof of concept for 64-bit machines yet.

VyOS hasn't supported 32-bit x86 in a long time, so it's not practically exploitable yet. Still, we made a hotfix archive that automatically installs updated openssh-server, openssh-client, openssl, and libssl3 packages (anyone with a subscription can access it through the knowledge base) and we will include the fix in the upcoming 1.4.1 release. Rolling release images will automatically pick up the fix from Debian updates in the next nightly build.

For now, here's what you can do to mitigate the issue:

  • Install the hotfix package, or download packages from debian-security repositories and updated them by hand with dpkg.

    If you cannot update just yet, then:

  • If possible, completely prohibit SSH connections from untrusted hosts.
  • Use rate limiting for SSH connections to make exploitation impractical.
  • Watch out for more intensive than usual SSH brute force attacks that may be a sign of someone attempting to exploit this vulnerability rather than find accounts with weak passwords.
  • One mitigation available without package upgrades is setting LoginGraceTime to 0 in sshd_config — however, VyOS CLI doesn't provide that option and local modification will be lost on the next commit or reboot, so we don't recommend that (it also makes SSHd vulnerable to a denial of service attack).

That's all for now, but stay tuned for updates!


The post categories: