Coalition routinely monitors policyholders' networks to help protect them from critical and emerging cyber threats.
CVE-2024-6387:
Is a critical remote code execution (RCE) vulnerability in OpenSSH, the widely-used implementation of the Secure Shell (SSH) protocol. This vulnerability arises from a signal handler race condition in the OpenSSH server (sshd). Specifically, if a client does not authenticate within the configured `LoginGraceTime` (120 seconds by default), the SIGALRM signal handler is called asynchronously, potentially leading to the execution of arbitrary code by an attacker. This vulnerability can be exploited to gain unauthorized access, execute malicious code, and disrupt services on affected servers.
Ensure that your OpenSSH software is updated to the latest version, which includes the patch for CVE-2024-6387. Regularly apply all security updates and patches OpenSSH maintainers provide to mitigate vulnerabilities.
What happened?
OpenSSH (Open Secure Shell) is a suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides a secure channel over an unsecured network in a client-server architecture. It was developed as an open-source implementation of the SSH protocol to replace less secure terminal emulation programs like Telnet, rlogin, and FTP.
On July 1 2024, the National Institute of Standards and Technology (NIST) updated the National Vulnerability Database (NVD) with findings from multiple threat research organizations that released an analysis of the OpenSSH vulnerability, CVE-2024-6387. Because its Overall Score is an 8.1 (critical), we are advising users of this protocol to immediately follow internal incident response protocols to investigate possible breaches, as well as to apply the available patches.
How to mitigate:
To mitigate the vulnerability in OpenSSH (CVE-2024-6387), follow these steps:
1. Apply the Patch: The most effective mitigation is to apply the official patch from the OpenSSH developers: https://www.openssh.com/. This patch addresses the remote code execution vulnerability that has resurfaced due to a regression from an older issue (CVE-2006-5051).
2. Update OpenSSH: Ensure that your OpenSSH version is updated to 9.8p1 or later, which includes the fix for this vulnerability. Many Linux distributions may backport the patch without changing the version number, so check your distribution's advisories and updates.
3. Limit Connection Attempts: To reduce the risk of exploitation, configure your SSH server to limit the rate of new connection attempts. You can do this by adjusting the MaxStartups and LoginGraceTime settings in your SSH configuration file. These settings can slow down potential brute-force attempts to exploit the vulnerability.
Network-Level Protections:
Port Knocking: Implement port knocking to make your SSH service less accessible to attackers.
Move SSH to a Non-Standard Port: Changing the default SSH port can reduce the likelihood of automated attacks.
IP Whitelisting: Restrict SSH access to specific IP addresses using firewall rules.
Legacy Systems: For older or legacy systems, consider additional protections if patches are not available. This includes using network firewalls to limit connection rates and employing alternative access controls like VPNs.
How does this impact my risk score?
CVE-2024-6387 is listed as a critical finding and should be resolved as quickly as possible to reduce your risk of a breach. Apply the Mitigations above and use the Security FIndings section of your dashboard to resolve this critical finding. The below article will reference how to resolve a security finding.
Resources:
For Coalition incident response or claims:
https://help.coalitioninc.com/hc/en-us/sections/10276603284635-Claims
For more details on CVE-2024-6387:
Qualys Blogpost
https://www.qualys.com/regresshion-cve-2024-6387/
CVE-2024-6387: Github Checker
https://github.com/xaitax/CVE-2024-6387_Check/blob/main/CVE-2024-6387_Check.py
National Vulnerability Database (NVD)