ccondon-r7's assessment of CVE-2024-6387

Description

A security regression (CVE-2006-5051) was discovered in OpenSSH’s server (sshd). There is a race condition which can lead to sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.

Add Assessment

ccondon-r7 (239)

July 01, 2024 11:08pm UTC (3 days ago)•Edited 2 days ago

Ratings

Exploitability

Very Low

Gives privileged access Difficult to weaponize

Technical Analysis

TL;DR: Neat! Doesn’t sound like something that’s going to be easily exploited or automated in pretty much any scenario, so I have little initial concern about widespread exploitation, or even exploitation at all. I’d expect a long tail of follow-on patches as various distros/products patch it out. Patch, sure, but no need for panic as far as we can tell.

As usual, happy to be proven wrong, but from the (very good!) Qualys technical write-up, this is a memory corruption bug where an adversary would have to win a race condition to exploit it successfully. The Qualys write-up even explicitly notes that “In our experiments, it takes ~10,000 tries on average to win this race condition; i.e., with 10 connections (MaxStartups) accepted per 120 seconds (LoginGraceTime), it takes ~1-2 days on average to obtain a remote root shell.”

See More &1 replySee Less

noraj (102) July 02, 2024 11:54am UTC (2 days ago)•Edited 1 day ago

Exactly, yet another vulnerability that is marketized as critical and requires urgent attention while it will probably never be exploited outside very niche cases.

But as for XZ backdoor, no one now how it will evolve so it’s still better to patch.

cschie822_comcast (3)

July 03, 2024 6:57pm UTC (1 day ago)•Edited 1 day ago

Ratings

Attacker Value

Low

Exploitability

Very Low

Technical Analysis

Doesn’t lend itself to an attackers needs. Takes a very long time to exploit, only works on a specific architecture (32bit), easily detected/blocked as malicious and requires access to a protocol (ssh) that is commonly hardened with access control lists.

SeanWrightFeat (10)

July 02, 2024 2:33pm UTC (2 days ago)•Edited 1 day ago

Ratings

Attacker Value

Very High

Exploitability

Very Low

Technical Analysis

While this vulnerability is interesting, and it certainly has the potential for immense damage and harm, the reality is far more nuanced. The difficulty in exploiting this vulnerability is significant, and will likely have to generate a lot of noise from the attacker. It takes a matter of hours (the quickest to date has been around 4 hours under lab conditions) to successfully exploit, which a lot of traffic and noise that for the most part will not go unnoticed if an organisation has the appropriate monitoring in place.

In addition, this is a not vulnerable on numerous LTS base Operating Systems such as:

RHEL (and thus CentOS) 6, 7, 8 (https://access.redhat.com/security/cve/CVE-2024-6387)
Ubuntu bionic, focal, trusty (https://access.redhat.com/security/cve/CVE-2024-6387)

See More &3 repliesSee Less

cschie822_comcast (3) July 03, 2024 2:53pm UTC (1 day ago)•Edited 1 day ago

interesting… your comments and your attacker value ratings don’t seem to line up.

noraj (102) July 03, 2024 2:57pm UTC (1 day ago)•Edited 1 day ago

@cschie822_comcast it depends if one means the attacker value in case of successful exploitation (which is very high here) or if it is the global attacker value taking every other metrics into account such as the very difficult exploitability (the value is very low). So it depends if it is contextualized or not.

SeanWrightFeat (10) July 03, 2024 3:26pm UTC (1 day ago)

What @noraj said! If successfully exploited, it almost likely gives root access to the system which is about as good as it gets for an attacker. But the effort required to do so is significant, making the chances of successful exploitation very low. So from a risk perspective (risk = impact * likelihood), where the impact (attacker value) is incredibly high, but the likelihood (exploitability) is very low, putting it at about medium risk.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

None

Impact Score:

Unknown

Exploitability Score:

Unknown

Vector:

Unknown

Attack Vector (AV):

Unknown

Attack Complexity (AC):

Unknown

Privileges Required (PR):

Unknown

User Interaction (UI):

Unknown

Scope (S):

Unknown

Confidentiality (C):

Unknown

Integrity (I):

Unknown

Availability (A):

Unknown

Vendors

Red Hat

Products

Red Hat Enterprise Linux 9,
Red Hat Enterprise Linux 6,
Red Hat Enterprise Linux 7,
Red Hat Enterprise Linux 8,
Red Hat OpenShift Container Platform 4

References

Canonical

CVE-2024-6387 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6387)

Advisory

regreSSHion: Remote Unauthenticated Code Execution Vulnerability in OpenSSH server (https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server)

regreSSHion: RCE in OpenSSH's server, on glibc-based Linux systems (CVE-2024-6387) [technical details} (https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt)

Exploit

PoCs that have not been added by contributors directly have been sourced from: nomi-sec/PoC-in-GitHub.
A PoC added here by the AKB Worker must have at least 2 GitHub stars.

CVE-2024-6387-exploit (https://github.com/thegenetic/CVE-2024-6387-exploit) (Added by AKB Worker)

CVE-2024-6387_Check (https://github.com/xaitax/CVE-2024-6387_Check) (Added by AKB Worker)

regresshion-check (https://github.com/wiggels/regresshion-check) (Added by AKB Worker)

OpenSSH-Vulnerability-test (https://github.com/betancour/OpenSSH-Vulnerability-test) (Added by AKB Worker)

CVE-2024-6387 (https://github.com/TAM-K592/CVE-2024-6387) (Added by AKB Worker)

CVE-2024-6387 (https://github.com/l0n3m4n/CVE-2024-6387) (Added by AKB Worker)

CVE-2024-6387 (https://github.com/Symbolexe/CVE-2024-6387) (Added by AKB Worker)