CVE-2024-6387: Openssh: regresshion - race condition in ssh allows rce/dos
First published: Thu Jun 27 2024(Updated: )
A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.
Credit: secalert@redhat.com secalert@redhat.com CVE-2024-6387 CVE-2024-6387 CVE-2024-6387
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Microsoft CBL Mariner 2.0 x64 | ||
| Microsoft CBL Mariner 2.0 ARM | ||
| F5 BIG-IP Next | >=20.1.0<=20.2.1 | |
| F5 BIG-IP Next Central Manager | >=20.1.0<=20.2.1 | |
| F5 BIG-IP Next SPK | >=1.7.0<=1.9.2 | |
| F5 BIG-IP Next CNF | >=1.1.0<=1.3.1 | |
| Openbsd Openssh | <4.4 | |
| Openbsd Openssh | >=8.6<9.8 | |
| Openbsd Openssh | =4.4 | |
| Openbsd Openssh | =8.5-p1 | |
| Redhat Openshift Container Platform | =4.0 | |
| Redhat Enterprise Linux | =9.0 | |
| Redhat Enterprise Linux Eus | =9.4 | |
| Redhat Enterprise Linux For Arm 64 | =9.0_aarch64 | |
| Redhat Enterprise Linux For Arm 64 Eus | =9.4_aarch64 | |
| Redhat Enterprise Linux For Ibm Z Systems | =9.0_s390x | |
| Redhat Enterprise Linux For Ibm Z Systems Eus | =9.4_s390x | |
| Redhat Enterprise Linux For Power Little Endian | =9.0_ppc64le | |
| Redhat Enterprise Linux For Power Little Endian Eus | =9.4_ppc64le | |
| Redhat Enterprise Linux Server Aus | =9.4 | |
| Suse Linux Enterprise Micro | =6.0 | |
| Debian Debian Linux | =12.0 | |
| Canonical Ubuntu Linux | =22.04 | |
| Canonical Ubuntu Linux | =22.10 | |
| Canonical Ubuntu Linux | =23.04 | |
| Amazon Linux 2023 | ||
| NetApp E-Series SANtricity OS Controller | >=11.0.0<=11.70.2 | |
| NetApp ONTAP Select Deploy administration utility | ||
| Netapp Ontap Tools Vmware Vsphere | =9 | |
| FreeBSD FreeBSD | =13.2 | |
| FreeBSD FreeBSD | =13.2-p1 | |
| FreeBSD FreeBSD | =13.2-p10 | |
| FreeBSD FreeBSD | =13.2-p11 | |
| FreeBSD FreeBSD | =13.2-p2 | |
| FreeBSD FreeBSD | =13.2-p3 | |
| FreeBSD FreeBSD | =13.2-p4 | |
| FreeBSD FreeBSD | =13.2-p5 | |
| FreeBSD FreeBSD | =13.2-p6 | |
| FreeBSD FreeBSD | =13.2-p7 | |
| FreeBSD FreeBSD | =13.2-p8 | |
| FreeBSD FreeBSD | =13.2-p9 | |
| FreeBSD FreeBSD | =13.3 | |
| FreeBSD FreeBSD | =13.3-p1 | |
| FreeBSD FreeBSD | =13.3-p2 | |
| FreeBSD FreeBSD | =13.3-p3 | |
| FreeBSD FreeBSD | =14.0 | |
| FreeBSD FreeBSD | =14.0-beta5 | |
| FreeBSD FreeBSD | =14.0-p1 | |
| FreeBSD FreeBSD | =14.0-p2 | |
| FreeBSD FreeBSD | =14.0-p3 | |
| FreeBSD FreeBSD | =14.0-p4 | |
| FreeBSD FreeBSD | =14.0-p5 | |
| FreeBSD FreeBSD | =14.0-p6 | |
| FreeBSD FreeBSD | =14.0-p7 | |
| FreeBSD FreeBSD | =14.0-rc3 | |
| FreeBSD FreeBSD | =14.0-rc4-p1 | |
| FreeBSD FreeBSD | =14.1 | |
| FreeBSD FreeBSD | =14.1-p1 | |
| NetBSD NetBSD | <=10.0.0 | |
| Apple macOS Ventura | <13.6.8 | 13.6.8 |
| Apple macOS Monterey | <12.7.6 | 12.7.6 |
| Apple macOS Sonoma | <14.6 | 14.6 |
| Microsoft Azure Arc Resource Bridge | ||
| Microsoft Azure Kubernetes Service Node on Azure Linux | ||
| Microsoft Azure Arc Resource Bridge | ||
| Microsoft Azure Kubernetes Service Node on Ubuntu Linux | ||
| ubuntu/openssh | <1:8.9 | 1:8.9 |
| ubuntu/openssh | <1:9.3 | 1:9.3 |
| ubuntu/openssh | <1:9.6 | 1:9.6 |
| ubuntu/openssh | <9.8 | 9.8 |
| redhat/openssh 8.7p1 | <38 | 38 |
| debian/openssh | 1:8.4p1-5+deb11u3 1:9.2p1-2+deb12u3 1:9.8p1-8 |
Remedy
Set LoginGraceTime to 0 in /etc/ssh/sshd_config. This makes sshd vulnerable to a denial of service (the exhaustion of all MaxStartups connections), but it makes it safe from this vulnerability.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://launchpad.net/bugs/cve/CVE-2024-6387
- https://www.bleepingcomputer.com/news/security/new-regresshion-openssh-rce-bug-gives-root-on-linux-servers/
- https://www.theregister.com/2024/07/01/regresshion_openssh/
- https://www.zdnet.com/article/over-14m-servers-may-be-vulnerable-to-opensshs-regresshion-rce-flaw-heres-what-you-need-to-do/
- https://www.theregister.com/2024/07/11/openssh_bug_in_rhel_9/
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-6387 (Advisory)
- https://www.cve.org/CVERecord?id=CVE-2024-6387
- https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
- https://ubuntu.com/security/notices/USN-6859-1
- https://ubuntu.com/blog/ubuntu-regresshion-security-fix
- https://nvd.nist.gov/vuln/detail/CVE-2024-6387
- https://security-tracker.debian.org/tracker/CVE-2024-6387
- https://ubuntu.com/security/CVE-2024-6387
- https://github.com/openssh/openssh-portable/commit/752250caabda3dd24635503c4cd689b32a650794
- https://github.com/openssh/openssh-portable/commit/81c1099d22b81ebfd20a334ce986c4f753b0db29
- https://lists.mindrot.org/pipermail/openssh-unix-announce/2024-July/000158.html
- https://www.openwall.com/lists/oss-security/2024/07/01/1
- https://my.f5.com/manage/s/article/K000140222
- http://www.openwall.com/lists/oss-security/2024/07/01/12
- http://www.openwall.com/lists/oss-security/2024/07/01/13
- http://www.openwall.com/lists/oss-security/2024/07/02/1
- http://www.openwall.com/lists/oss-security/2024/07/03/1
- http://www.openwall.com/lists/oss-security/2024/07/03/11
- http://www.openwall.com/lists/oss-security/2024/07/03/2
- http://www.openwall.com/lists/oss-security/2024/07/03/3
- http://www.openwall.com/lists/oss-security/2024/07/03/4
- http://www.openwall.com/lists/oss-security/2024/07/03/5
- http://www.openwall.com/lists/oss-security/2024/07/04/1
- http://www.openwall.com/lists/oss-security/2024/07/04/2
- http://www.openwall.com/lists/oss-security/2024/07/08/2
- http://www.openwall.com/lists/oss-security/2024/07/08/3
- http://www.openwall.com/lists/oss-security/2024/07/09/2
- http://www.openwall.com/lists/oss-security/2024/07/09/5
- http://www.openwall.com/lists/oss-security/2024/07/10/1
- http://www.openwall.com/lists/oss-security/2024/07/10/2
- http://www.openwall.com/lists/oss-security/2024/07/10/3
- http://www.openwall.com/lists/oss-security/2024/07/10/4
- http://www.openwall.com/lists/oss-security/2024/07/10/6
- http://www.openwall.com/lists/oss-security/2024/07/11/1
- http://www.openwall.com/lists/oss-security/2024/07/11/3
- http://www.openwall.com/lists/oss-security/2024/07/23/4
- http://www.openwall.com/lists/oss-security/2024/07/23/6
- http://www.openwall.com/lists/oss-security/2024/07/28/2
- http://www.openwall.com/lists/oss-security/2024/07/28/3
- https://access.redhat.com/errata/RHSA-2024:4312
- https://access.redhat.com/errata/RHSA-2024:4340
- https://access.redhat.com/errata/RHSA-2024:4389
- https://access.redhat.com/errata/RHSA-2024:4469
- https://access.redhat.com/errata/RHSA-2024:4474
- https://access.redhat.com/errata/RHSA-2024:4479
- https://access.redhat.com/errata/RHSA-2024:4484
- https://access.redhat.com/security/cve/CVE-2024-6387
- https://archlinux.org/news/the-sshd-service-needs-to-be-restarted-after-upgrading-to-openssh-98p1/
- https://arstechnica.com/security/2024/07/regresshion-vulnerability-in-openssh-gives-attackers-root-on-linux/
- https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server
- https://bugzilla.redhat.com/show_bug.cgi?id=2294604
- https://explore.alas.aws.amazon.com/CVE-2024-6387.html
- https://forum.vmssoftware.com/viewtopic.php?f=8&t=9132
- https://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2024-002.txt.asc
- https://github.com/AlmaLinux/updates/issues/629
- https://github.com/Azure/AKS/issues/4379
- https://github.com/PowerShell/Win32-OpenSSH/discussions/2248
- https://github.com/PowerShell/Win32-OpenSSH/issues/2249
- https://github.com/microsoft/azurelinux/issues/9555
- https://github.com/openela-main/openssh/commit/e1f438970e5a337a17070a637c1b9e19697cad09
- https://github.com/oracle/oracle-linux/issues/149
- https://github.com/rapier1/hpn-ssh/issues/87
- https://github.com/zgzhang/cve-2024-6387-poc
- https://lists.almalinux.org/archives/list/announce@lists.almalinux.org/thread/23BF5BMGFVEVUI2WNVAGMLKT557EU7VY/
- https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-July/041431.html
- https://news.ycombinator.com/item?id=40843778
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0010
- https://santandersecurityresearch.github.io/blog/sshing_the_masses.html
- https://security.netapp.com/advisory/ntap-20240701-0001/
- https://sig-security.rocky.page/issues/CVE-2024-6387/
- https://stackdiary.com/openssh-race-condition-in-sshd-allows-remote-code-execution/
- https://www.akamai.com/blog/security-research/2024-openssh-vulnerability-regression-what-to-know-and-do
- https://www.arista.com/en/support/advisories-notices/security-advisory/19904-security-advisory-0100
- https://www.freebsd.org/security/advisories/FreeBSD-SA-24:04.openssh.asc
- https://www.openssh.com/txt/release-9.8
- https://www.splunk.com/en_us/blog/security/cve-2024-6387-regresshion-vulnerability.html
- https://www.suse.com/security/cve/CVE-2024-6387.html
- https://access.redhat.com/security/cve/CVE-2006-5051
- https://support.apple.com/en-us/HT214120 (Advisory)
- https://support.apple.com/en-us/HT214119 (Advisory)
- https://support.apple.com/en-us/HT214118 (Advisory)
- http://seclists.org/fulldisclosure/2024/Jul/18
- http://seclists.org/fulldisclosure/2024/Jul/19
- http://seclists.org/fulldisclosure/2024/Jul/20
- https://support.apple.com/kb/HT214118
- https://support.apple.com/kb/HT214119
- https://support.apple.com/kb/HT214120
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- CVE-2024-40783
- CVE-2024-27826
- CVE-2024-40774
- CVE-2024-40775
- CVE-2024-27877
- CVE-2024-40799
- CVE-2024-27873
- CVE-2024-2004
- CVE-2024-2379
- CVE-2024-2398
- CVE-2024-2466
- CVE-2024-40827
- CVE-2024-40815
- CVE-2023-6277
- CVE-2023-52356
- CVE-2024-40806
- CVE-2024-40784
- CVE-2024-40816
- CVE-2024-40788
- CVE-2024-40803
- CVE-2024-40796
- CVE-2024-6387
- CVE-2024-40781
- CVE-2024-40802
- CVE-2024-40823
- CVE-2024-27882
- CVE-2024-27883
- CVE-2024-40800
- CVE-2024-40817
- CVE-2024-27881
- CVE-2024-40821
- CVE-2024-40798
- CVE-2024-40833
- CVE-2024-40807
- CVE-2024-40835
- CVE-2024-40834
- CVE-2024-40787
- CVE-2024-40793
- CVE-2024-40809
- CVE-2024-40812
- CVE-2024-40818
- CVE-2024-40786
- CVE-2024-40828
- CVE-2024-23261
- CVE-2024-40829
- CVE-2024-23296
- CVE-2024-40804
- CVE-2023-38709
- CVE-2024-24795
- CVE-2024-27316
- CVE-2024-40814
- CVE-2024-27878
- CVE-2024-40795
- CVE-2024-40777
- CVE-2024-27863
- CVE-2024-40805
- CVE-2024-40832
- CVE-2024-40778
- CVE-2023-27952
- CVE-2024-40824
- CVE-2024-27871
- CVE-2024-27872
- CVE-2024-27862
- CVE-2024-40836
- CVE-2024-40822
- CVE-2024-40811
- CVE-2024-40776
- CVE-2024-40782
- CVE-2024-40779
- CVE-2024-40780
- CVE-2024-40785
- CVE-2024-40789
- CVE-2024-4558
- CVE-2024-40794
- collector/oss-sec
- source/oss-sec
- alias/CVE-2024-6387
- agent/type
- collector/launchpad-cve
- source/Launchpad
- agent/weakness
- agent/first-publish-date
- collector/bleeping-computer
- source/BleepingComputer
- alias/CVE-2006-5051
- alias/CVE-2008-4109
- collector/the-register
- source/The Register
- agent/remedy
- collector/zdnet-article
- source/ZDNet
- alias/CVE-2024-6409
- collector/msrc
- source/Microsoft
- agent/software-canonical-lookup
- collector/msrc-cve
- collector/usn-cve
- source/Ubuntu
- agent/title
- collector/f5-advisory
- source/F5
- agent/severity
- agent/event
- agent/author
- agent/description
- collector/nvd-api
- source/NVD
- agent/references
- collector/security-tracker-debian
- source/Debian
- collector/nvd-cve
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- collector/apple-support
- source/Apple
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/softwarecombine
- agent/tags
- agent/software-canonical-lookup-request
- vendor/microsoft
- canonical/microsoft cbl mariner 2.0 x64
- canonical/microsoft cbl mariner 2.0 arm
- package-manager/ubuntu
- vendor/f5
- canonical/f5 big-ip next
- version/f5 big-ip next/20.1.0
- version/f5 big-ip next/20.2.1
- canonical/f5 big-ip next central manager
- version/f5 big-ip next central manager/20.1.0
- version/f5 big-ip next central manager/20.2.1
- canonical/f5 big-ip next spk
- version/f5 big-ip next spk/1.7.0
- version/f5 big-ip next spk/1.9.2
- canonical/f5 big-ip next cnf
- version/f5 big-ip next cnf/1.1.0
- version/f5 big-ip next cnf/1.3.1
- vendor/openbsd
- canonical/openbsd openssh
- version/openbsd openssh/8.6
- version/openbsd openssh/4.4
- version/openbsd openssh/8.5-p1
- vendor/redhat
- canonical/redhat openshift container platform
- version/redhat openshift container platform/4.0
- canonical/redhat enterprise linux
- version/redhat enterprise linux/9.0
- canonical/redhat enterprise linux eus
- version/redhat enterprise linux eus/9.4
- canonical/redhat enterprise linux for arm 64
- version/redhat enterprise linux for arm 64/9.0_aarch64
- canonical/redhat enterprise linux for arm 64 eus
- version/redhat enterprise linux for arm 64 eus/9.4_aarch64
- canonical/redhat enterprise linux for ibm z systems
- version/redhat enterprise linux for ibm z systems/9.0_s390x
- canonical/redhat enterprise linux for ibm z systems eus
- version/redhat enterprise linux for ibm z systems eus/9.4_s390x
- canonical/redhat enterprise linux for power little endian
- version/redhat enterprise linux for power little endian/9.0_ppc64le
- canonical/redhat enterprise linux for power little endian eus
- version/redhat enterprise linux for power little endian eus/9.4_ppc64le
- canonical/redhat enterprise linux server aus
- version/redhat enterprise linux server aus/9.4
- vendor/suse
- canonical/suse linux enterprise micro
- version/suse linux enterprise micro/6.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/12.0
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/22.04
- version/canonical ubuntu linux/22.10
- version/canonical ubuntu linux/23.04
- vendor/amazon
- canonical/amazon linux 2023
- vendor/netapp
- canonical/netapp e-series santricity os controller
- version/netapp e-series santricity os controller/11.0.0
- version/netapp e-series santricity os controller/11.70.2
- canonical/netapp ontap select deploy administration utility
- canonical/netapp ontap tools vmware vsphere
- version/netapp ontap tools vmware vsphere/9
- vendor/freebsd
- canonical/freebsd freebsd
- version/freebsd freebsd/13.2
- version/freebsd freebsd/13.2-p1
- version/freebsd freebsd/13.2-p10
- version/freebsd freebsd/13.2-p11
- version/freebsd freebsd/13.2-p2
- version/freebsd freebsd/13.2-p3
- version/freebsd freebsd/13.2-p4
- version/freebsd freebsd/13.2-p5
- version/freebsd freebsd/13.2-p6
- version/freebsd freebsd/13.2-p7
- version/freebsd freebsd/13.2-p8
- version/freebsd freebsd/13.2-p9
- version/freebsd freebsd/13.3
- version/freebsd freebsd/13.3-p1
- version/freebsd freebsd/13.3-p2
- version/freebsd freebsd/13.3-p3
- version/freebsd freebsd/14.0
- version/freebsd freebsd/14.0-beta5
- version/freebsd freebsd/14.0-p1
- version/freebsd freebsd/14.0-p2
- version/freebsd freebsd/14.0-p3
- version/freebsd freebsd/14.0-p4
- version/freebsd freebsd/14.0-p5
- version/freebsd freebsd/14.0-p6
- version/freebsd freebsd/14.0-p7
- version/freebsd freebsd/14.0-rc3
- version/freebsd freebsd/14.0-rc4-p1
- version/freebsd freebsd/14.1
- version/freebsd freebsd/14.1-p1
- vendor/netbsd
- canonical/netbsd netbsd
- version/netbsd netbsd/10.0.0
- package-manager/debian
- package-manager/redhat
- vendor/apple
- canonical/apple macos ventura
- canonical/apple macos monterey
- canonical/apple macos sonoma
- canonical/microsoft azure kubernetes service node on azure linux
- canonical/microsoft azure arc resource bridge
- canonical/microsoft azure kubernetes service node on ubuntu linux