CVE-2024-6387

Openssh: regresshion - race condition in ssh allows rce/dos

Severity Score

8.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.

Se encontró una condición de ejecución del controlador de señales en el servidor de OpenSSH (sshd), donde un cliente no se autentica dentro de los segundos de LoginGraceTime (120 de forma predeterminada, 600 en versiones anteriores de OpenSSH), luego se llama al controlador SIGALRM de sshd de forma asincrónica. Sin embargo, este controlador de señales llama a varias funciones que no son seguras para señales asíncronas, por ejemplo, syslog().

*Credits: Red Hat would like to thank Qualys Threat Research Unit (TRU) (Qualys) for reporting this issue.

CVSS Scores

NISTv3.1 8.1

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-06-27 CVE Reserved
2024-07-01 CVE Published
2024-07-01 First Exploit
2024-09-14 CVE Updated
2024-09-14 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE-364: Signal Handler Race Condition

CAPEC

References (110)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2024/07/01/12	Mailing List
http://www.openwall.com/lists/oss-security/2024/07/01/13	Mailing List
http://www.openwall.com/lists/oss-security/2024/07/02/1	Mailing List
http://www.openwall.com/lists/oss-security/2024/07/03/1	Mailing List
http://www.openwall.com/lists/oss-security/2024/07/03/11	Mailing List
http://www.openwall.com/lists/oss-security/2024/07/03/2	Mailing List
http://www.openwall.com/lists/oss-security/2024/07/03/3	Mailing List
http://www.openwall.com/lists/oss-security/2024/07/03/4	Mailing List
http://www.openwall.com/lists/oss-security/2024/07/03/5	Mailing List
http://www.openwall.com/lists/oss-security/2024/07/04/1	Mailing List
http://www.openwall.com/lists/oss-security/2024/07/04/2	Mailing List
http://www.openwall.com/lists/oss-security/2024/07/08/2
http://www.openwall.com/lists/oss-security/2024/07/08/3
http://www.openwall.com/lists/oss-security/2024/07/09/2
http://www.openwall.com/lists/oss-security/2024/07/09/5
http://www.openwall.com/lists/oss-security/2024/07/10/1
http://www.openwall.com/lists/oss-security/2024/07/10/2
http://www.openwall.com/lists/oss-security/2024/07/10/3
http://www.openwall.com/lists/oss-security/2024/07/10/4
http://www.openwall.com/lists/oss-security/2024/07/10/6
http://www.openwall.com/lists/oss-security/2024/07/11/1
http://www.openwall.com/lists/oss-security/2024/07/11/3
http://www.openwall.com/lists/oss-security/2024/07/23/4
http://www.openwall.com/lists/oss-security/2024/07/23/6
https://archlinux.org/news/the-sshd-service-needs-to-be-restarted-after-upgrading-to-openssh-98p1	Third Party Advisory
https://arstechnica.com/security/2024/07/regresshion-vulnerability-in-openssh-gives-attackers-root-on-linux	Press
https://explore.alas.aws.amazon.com/CVE-2024-6387.html	Third Party Advisory
https://forum.vmssoftware.com/viewtopic.php?f=8&t=9132
https://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2024-002.txt.asc	Third Party Advisory
https://github.com/AlmaLinux/updates/issues/629	Issue Tracking
https://github.com/Azure/AKS/issues/4379	Issue Tracking
https://github.com/PowerShell/Win32-OpenSSH/discussions/2248	Issue Tracking
https://github.com/PowerShell/Win32-OpenSSH/issues/2249	Issue Tracking
https://github.com/microsoft/azurelinux/issues/9555	Issue Tracking
https://github.com/openela-main/openssh/commit/e1f438970e5a337a17070a637c1b9e19697cad09
https://github.com/oracle/oracle-linux/issues/149	Issue Tracking
https://github.com/rapier1/hpn-ssh/issues/87	Issue Tracking
https://github.com/zgzhang/cve-2024-6387-poc	Third Party Advisory
https://lists.almalinux.org/archives/list/announce@lists.almalinux.org/thread/23BF5BMGFVEVUI2WNVAGMLKT557EU7VY
https://lists.mindrot.org/pipermail/openssh-unix-announce/2024-July/000158.html	Mailing List
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0010	Third Party Advisory
https://security-tracker.debian.org/tracker/CVE-2024-6387	Third Party Advisory
https://security.netapp.com/advisory/ntap-20240701-0001	Third Party Advisory
https://sig-security.rocky.page/issues/CVE-2024-6387	Third Party Advisory
https://stackdiary.com/openssh-race-condition-in-sshd-allows-remote-code-execution	Third Party Advisory
https://ubuntu.com/security/CVE-2024-6387	Third Party Advisory
https://ubuntu.com/security/notices/USN-6859-1	Third Party Advisory
https://www.akamai.com/blog/security-research/2024-openssh-vulnerability-regression-what-to-know-and-do
https://www.arista.com/en/support/advisories-notices/security-advisory/19904-security-advisory-0100
https://www.freebsd.org/security/advisories/FreeBSD-SA-24:04.openssh.asc	Third Party Advisory
https://www.openssh.com/txt/release-9.8	Release Notes
https://www.splunk.com/en_us/blog/security/cve-2024-6387-regresshion-vulnerability.html
https://www.suse.com/security/cve/CVE-2024-6387.html	Third Party Advisory
https://www.theregister.com/2024/07/01/regresshion_openssh	Third Party Advisory
https://santandersecurityresearch.github.io/blog/sshing_the_masses.html

URL	Date	SRC
https://github.com/l0n3m4n/CVE-2024-6387	2024-07-05
https://github.com/thegenetic/CVE-2024-6387-exploit	2024-07-02
https://github.com/d0rb/CVE-2024-6387	2024-07-04
https://github.com/devarshishimpi/CVE-2024-6387-Check	2024-07-08
https://github.com/AiGptCode/ssh_exploiter_CVE-2024-6387	2024-07-04
https://github.com/Symbolexe/CVE-2024-6387	2024-07-04
https://github.com/xonoxitron/regreSSHion	2024-07-02
https://github.com/PrincipalAnthony/CVE-2024-6387-Updated-x64bit	2024-07-02
https://github.com/4lxprime/regreSSHive	2024-07-04
https://github.com/shamo0/CVE-2024-6387_PoC	2024-07-02
https://github.com/harshinsecurity/sentinelssh	2024-07-08
https://github.com/MrR0b0t19/CVE-2024-6387-Exploit-POC	2024-07-02
https://github.com/l-urk/CVE-2024-6387	2024-07-30
https://github.com/l-urk/CVE-2024-6387-L	2024-08-06
https://github.com/filipi86/CVE-2024-6387-Vulnerability-Checker	2024-07-10
https://github.com/asterictnl-lvdw/CVE-2024-6387	2024-08-22
https://github.com/bigb0x/CVE-2024-6387	2024-07-06
https://github.com/3yujw7njai/CVE-2024-6387	2024-07-02
https://github.com/getdrive/CVE-2024-6387-PoC	2024-07-01
https://github.com/sxlmnwb/CVE-2024-6387	2024-07-03
https://github.com/TAM-K592/CVE-2024-6387	2024-07-02
https://github.com/paradessia/CVE-2024-6387-nmap	2024-07-02
https://github.com/azurejoga/CVE-2024-6387-how-to-fix	2024-07-05
https://github.com/ThatNotEasy/CVE-2024-6387	2024-07-15
https://github.com/lala-amber/CVE-2024-6387	2024-07-04
https://github.com/th3gokul/CVE-2024-6387	2024-07-02
https://github.com/prelearn-code/CVE-2024-6387	2024-07-25
https://github.com/ahlfors/CVE-2024-6387	2024-07-02
https://github.com/ACHUX21/checker-CVE-2024-6387	2024-07-02
https://github.com/FerasAlrimali/CVE-2024-6387-POC	2024-07-01
https://github.com/SiberianHacker/CVE-2024-6387-Finder	2024-07-05
https://github.com/SecWithMoh/CVE-2024-6387	2024-07-02
https://github.com/ThemeHackers/CVE-2024-6387	2024-07-11
https://github.com/sms2056/CVE-2024-6387	2024-07-04
https://github.com/no-one-sec/CVE-2024-6387	2024-07-02
https://github.com/imv7/CVE-2024-6387	2024-07-05
https://github.com/R4Tw1z/CVE-2024-6387	2024-07-02
https://github.com/grupooruss/CVE-2024-6387	2024-07-02
https://github.com/dawnl3ss/CVE-2024-6387	2024-07-02
https://github.com/jack0we/CVE-2024-6387	2024-07-01
https://github.com/Jhonsonwannaa/CVE-2024-6387	2024-07-14
https://github.com/identity-threat-labs/CVE-2024-6387-Vulnerability-Checker	2024-08-29
https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server	2024-07-23
https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt	2024-09-14

URL	Date	SRC
https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-July/041431.html	2024-07-23
https://news.ycombinator.com/item?id=40843778	2024-07-23

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2024:4312	2024-07-23
https://access.redhat.com/errata/RHSA-2024:4340	2024-07-23
https://access.redhat.com/errata/RHSA-2024:4389	2024-07-23
https://access.redhat.com/errata/RHSA-2024:4469	2024-07-23
https://access.redhat.com/errata/RHSA-2024:4474	2024-07-23
https://access.redhat.com/errata/RHSA-2024:4479	2024-07-23
https://access.redhat.com/errata/RHSA-2024:4484	2024-07-23
https://access.redhat.com/security/cve/CVE-2024-6387	2024-07-17
https://bugzilla.redhat.com/show_bug.cgi?id=2294604	2024-07-17

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Openbsd Search vendor "Openbsd"		Openssh Search vendor "Openbsd" for product "Openssh"				< 4.4 Search vendor "Openbsd" for product "Openssh" and version " < 4.4"		-		Affected
Openbsd Search vendor "Openbsd"		Openssh Search vendor "Openbsd" for product "Openssh"				>= 8.6 < 9.8 Search vendor "Openbsd" for product "Openssh" and version " >= 8.6 < 9.8"		-		Affected
Openbsd Search vendor "Openbsd"		Openssh Search vendor "Openbsd" for product "Openssh"				4.4 Search vendor "Openbsd" for product "Openssh" and version "4.4"		-		Affected
Openbsd Search vendor "Openbsd"		Openssh Search vendor "Openbsd" for product "Openssh"				8.5 Search vendor "Openbsd" for product "Openssh" and version "8.5"		p1		Affected
Openbsd Search vendor "Openbsd"		Openssh Search vendor "Openbsd" for product "Openssh"				9.8 Search vendor "Openbsd" for product "Openssh" and version "9.8"		-		Affected
Redhat Search vendor "Redhat"		Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform"				4.0 Search vendor "Redhat" for product "Openshift Container Platform" and version "4.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				9.0 Search vendor "Redhat" for product "Enterprise Linux" and version "9.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Eus Search vendor "Redhat" for product "Enterprise Linux Eus"				9.4 Search vendor "Redhat" for product "Enterprise Linux Eus" and version "9.4"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux For Arm 64 Search vendor "Redhat" for product "Enterprise Linux For Arm 64"				9.0_aarch64 Search vendor "Redhat" for product "Enterprise Linux For Arm 64" and version "9.0_aarch64"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux For Arm 64 Eus Search vendor "Redhat" for product "Enterprise Linux For Arm 64 Eus"				9.4_aarch64 Search vendor "Redhat" for product "Enterprise Linux For Arm 64 Eus" and version "9.4_aarch64"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux For Ibm Z Systems Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems"				9.0_s390x Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems" and version "9.0_s390x"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux For Ibm Z Systems Eus Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems Eus"				9.4_s390x Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems Eus" and version "9.4_s390x"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux For Power Little Endian Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian"				9.0_ppc64le Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian" and version "9.0_ppc64le"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux For Power Little Endian Eus Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian Eus"				9.4_ppc64le Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian Eus" and version "9.4_ppc64le"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Aus Search vendor "Redhat" for product "Enterprise Linux Server Aus"				9.4 Search vendor "Redhat" for product "Enterprise Linux Server Aus" and version "9.4"		-		Affected
Suse Search vendor "Suse"		Linux Enterprise Micro Search vendor "Suse" for product "Linux Enterprise Micro"				6.0 Search vendor "Suse" for product "Linux Enterprise Micro" and version "6.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				12.0 Search vendor "Debian" for product "Debian Linux" and version "12.0"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				22.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "22.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				22.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "22.10"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				23.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "23.04"		lts		Affected
Amazon Search vendor "Amazon"		Linux 2023 Search vendor "Amazon" for product "Linux 2023"				-		-		Affected
Netapp Search vendor "Netapp"		E-series Santricity Os Controller Search vendor "Netapp" for product "E-series Santricity Os Controller"				>= 11.0.0 <= 11.70.2 Search vendor "Netapp" for product "E-series Santricity Os Controller" and version " >= 11.0.0 <= 11.70.2"		-		Affected
Netapp Search vendor "Netapp"		Ontap Select Deploy Administration Utility Search vendor "Netapp" for product "Ontap Select Deploy Administration Utility"				-		-		Affected
Netapp Search vendor "Netapp"		Ontap Tools Search vendor "Netapp" for product "Ontap Tools"				9 Search vendor "Netapp" for product "Ontap Tools" and version "9"		vmware_vsphere		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				13.2 Search vendor "Freebsd" for product "Freebsd" and version "13.2"		-		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				13.2 Search vendor "Freebsd" for product "Freebsd" and version "13.2"		p1		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				13.2 Search vendor "Freebsd" for product "Freebsd" and version "13.2"		p10		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				13.2 Search vendor "Freebsd" for product "Freebsd" and version "13.2"		p11		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				13.2 Search vendor "Freebsd" for product "Freebsd" and version "13.2"		p2		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				13.2 Search vendor "Freebsd" for product "Freebsd" and version "13.2"		p3		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				13.2 Search vendor "Freebsd" for product "Freebsd" and version "13.2"		p4		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				13.2 Search vendor "Freebsd" for product "Freebsd" and version "13.2"		p5		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				13.2 Search vendor "Freebsd" for product "Freebsd" and version "13.2"		p6		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				13.2 Search vendor "Freebsd" for product "Freebsd" and version "13.2"		p7		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				13.2 Search vendor "Freebsd" for product "Freebsd" and version "13.2"		p8		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				13.2 Search vendor "Freebsd" for product "Freebsd" and version "13.2"		p9		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				13.3 Search vendor "Freebsd" for product "Freebsd" and version "13.3"		-		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				13.3 Search vendor "Freebsd" for product "Freebsd" and version "13.3"		p1		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				13.3 Search vendor "Freebsd" for product "Freebsd" and version "13.3"		p2		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				13.3 Search vendor "Freebsd" for product "Freebsd" and version "13.3"		p3		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				14.0 Search vendor "Freebsd" for product "Freebsd" and version "14.0"		-		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				14.0 Search vendor "Freebsd" for product "Freebsd" and version "14.0"		beta5		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				14.0 Search vendor "Freebsd" for product "Freebsd" and version "14.0"		p1		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				14.0 Search vendor "Freebsd" for product "Freebsd" and version "14.0"		p2		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				14.0 Search vendor "Freebsd" for product "Freebsd" and version "14.0"		p3		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				14.0 Search vendor "Freebsd" for product "Freebsd" and version "14.0"		p4		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				14.0 Search vendor "Freebsd" for product "Freebsd" and version "14.0"		p5		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				14.0 Search vendor "Freebsd" for product "Freebsd" and version "14.0"		p6		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				14.0 Search vendor "Freebsd" for product "Freebsd" and version "14.0"		p7		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				14.0 Search vendor "Freebsd" for product "Freebsd" and version "14.0"		rc3		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				14.0 Search vendor "Freebsd" for product "Freebsd" and version "14.0"		rc4-p1		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				14.1 Search vendor "Freebsd" for product "Freebsd" and version "14.1"		-		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				14.1 Search vendor "Freebsd" for product "Freebsd" and version "14.1"		p1		Affected
Netbsd Search vendor "Netbsd"		Netbsd Search vendor "Netbsd" for product "Netbsd"				<= 10.0.0 Search vendor "Netbsd" for product "Netbsd" and version " <= 10.0.0"		-		Affected