Threat Brief: CVE-2024-6387 OpenSSH RegreSSHion Vulnerability

On July 1, 2024, a critical signal handler race condition vulnerability was disclosed in OpenSSH servers on glibc-based Linux systems.
Using Palo Alto Networks Xpanse data, we observed 23 million instances of OpenSSH servers including all versions.
We saw over 7 million exposed instances of OpenSSH versions 8.5p1-9.7p1 globally as of July 1, 2024.
Including older versions, we see 7.3 million total.
This is likely to be an overcount of vulnerable versions as there is no reliable way to account for backporting, in which instances are running patched versions but displaying impacted version numbers.
We have been unable to successfully exploit the CVE-2024-6387 vulnerability with this PoC to achieve remote code execution.
Customers can access external SSH exposure detection from Cortex Xpanse and XSIAM. Customers are also better protected by Prisma Cloud through tooling such as Prisma Cloud's agent or agentless vulnerability scanning and Software Composition Analysis tools, which assist in identifying vulnerable resources across the cloud development lifecycle.
OpenBSD is not vulnerable because its signal alarm handler uses syslog r(), an async-signal-safe version of syslog().
Table 1 shows the vulnerable versions associated with CVE-2024-6387.
Breakdown of vulnerable OpenSSH versions associated with CVE-2024-6387.
We have been unable to successfully exploit the CVE-2024-6387 vulnerability with this PoC to achieve remote code execution in our testing environment.
Palo Alto Networks recommends updating all OpenSSH instances to the latest version of OpenSSH, later than v9.8p1. Prisma Cloud detects the presence of any cloud resource that is vulnerable to CVE-2024-6387 as shown in Figure 1, including VM, serverless, container resources and cloud image repositories.
Prisma Cloud customers can query their cloud environments for cloud resources that contain the CVE-2024-6387 vulnerability that are also internet accessible, as shown in Figure 2.
If instances of the RegreSSHion vulnerability are found within cloud resources, they should be updated to the latest version of OpenSSH and an investigation should be started to ensure no malicious connections were established with the vulnerable cloud resources.
Fields endpoint name, application name, raw version, product major version, product minor version, product rev.
CVE-2024-6387 is a signal handler race condition vulnerability in OpenSSH servers on glibc-based Linux systems.
This vulnerability impacts all OpenSSH server versions between 8.5p1-9.8p1, as well as versions earlier than 4.4p1, if they've not backport-patched against CVE-2006-5051 or patched against CVE-2008-4109.
Prisma Cloud has detection capabilities in place for CVE-2024-6387.
Prevention capabilities also exist with Prisma Cloud Agent and Agentless vulnerability scanning.
Prisma Cloud Software Composition Analysis can detect vulnerable cloud resources throughout the cloud development lifecycle, including within cloud image repositories.


This Cyber News was published on unit42.paloaltonetworks.com. Publication date: Tue, 02 Jul 2024 18:43:05 +0000


Cyber News related to Threat Brief: CVE-2024-6387 OpenSSH RegreSSHion Vulnerability

Threat Brief: CVE-2024-6387 OpenSSH RegreSSHion Vulnerability - On July 1, 2024, a critical signal handler race condition vulnerability was disclosed in OpenSSH servers on glibc-based Linux systems. Using Palo Alto Networks Xpanse data, we observed 23 million instances of OpenSSH servers including all versions. ...
4 months ago Unit42.paloaltonetworks.com
New regreSSHion OpenSSH RCE bug gives root on Linux servers - OpenSSH is a suite of networking utilities based on the Secure Shell protocol. It is extensively used for secure remote login, remote server management and administration, and file transfers via SCP and SFTP. The flaw, discovered by researchers at ...
4 months ago Bleepingcomputer.com
Critical OpenSSH vulnerability could affect millions of servers - Qualys disclosed a critical OpenSSH vulnerability and warned that more than 14 million potentially vulnerable server instances are exposed to the internet. In a blog post on Monday, Bharat Jogi, senior director of Qualys' Threat Research Unit, ...
4 months ago Techtarget.com
Millions of OpenSSH Servers Potentially Vulnerable to Remote regreSSHion Attack - Millions of OpenSSH servers could be affected by a newly disclosed vulnerability that can be exploited for unauthenticated remote code execution. The flaw, tracked as CVE-2024-6387 and named regreSSHion, was discovered by the threat research unit at ...
4 months ago Securityweek.com
regreSSHion: Remote Unauthenticated Code Execution Vulnerability in OpenSSH server - The Qualys Threat Research Unit has discovered a Remote Unauthenticated Code Execution vulnerability in OpenSSH's server in glibc-based Linux systems. CVE assigned to this vulnerability is CVE-2024-6387. The vulnerability, which is a signal handler ...
4 months ago Blog.qualys.com
regreSSHion: Remote Unauthenticated Code Execution Vulnerability in OpenSSH server - The Qualys Threat Research Unit has discovered a Remote Unauthenticated Code Execution vulnerability in OpenSSH's server in glibc-based Linux systems. CVE assigned to this vulnerability is CVE-2024-6387. The vulnerability, which is a signal handler ...
4 months ago Packetstormsecurity.com
Openssh Flaw Exposes Millions of Linux to Arbitrary Code Attacks - A critical vulnerability has been discovered in OpenSSH, a widely used implementation of the SSH protocol, which could potentially expose millions of Linux systems to arbitrary code execution attacks. The flaw, identified in the sshd(8) component of ...
4 months ago Cybersecuritynews.com
Critical OpenSSH Flaw Enables Full System Compromise - Over 14 million OpenSSH instances exposed to the internet are now at risk following the discovery of a critical vulnerability in OpenSSH's server, according to a new analysis by Qualys. The remote unauthenticated code execution vulnerability could ...
4 months ago Infosecurity-magazine.com
TeamCity Intrusion Saga: APT29 Suspected Among the Attackers Exploiting CVE-2023-42793 - As part of this analysis, we look at threat actor TTPs employed throughout the intrusion and how they were identified and pieced together by the FortiGuard IR team. The following section of this report focuses on the activities of one of these threat ...
11 months ago Feeds.fortinet.com
Top 7 Cyber Threat Hunting Tools for 2024 - Cyber threat hunting is a proactive security measure taken to detect and neutralize potential threats on a network before they cause significant damage. To seek out this type of threat, security professionals use cyber threat-hunting tools. With ...
9 months ago Techrepublic.com
Staying ahead of threat actors in the age of AI - At the same time, it is also important for us to understand how AI can be potentially misused in the hands of threat actors. In collaboration with OpenAI, today we are publishing research on emerging threats in the age of AI, focusing on identified ...
9 months ago Microsoft.com
What Is Threat Modeling? - Threat modeling emerges as a pivotal process in this landscape, offering a structured approach to identify, assess, and address potential security threats. Threat Modeling Adoption and Implementation The successful adoption of threat modeling within ...
10 months ago Feeds.dzone.com
What Is Cyber Threat Hunting? - Cyber threat hunting involves proactively searching for threats on an organization's network that are unknown to traditional cybersecurity solutions. A recent report from Armis found that cyber attack attempts increased by 104% in 2023, underscoring ...
9 months ago Techrepublic.com
How to Use Threat Intelligence Feeds for SOC/DFIR Teams - Threat intelligence feeds provide real-time updates on indicators of compromise, such as malicious IPs and URLs. Security systems can then ingest these IOCs to identify and block potential threats, which essentially grants organizations immunity to ...
6 months ago Cybersecuritynews.com
How to Overcome the Most Common Challenges with Threat Intelligence - Today's typical approach to threat intelligence isn't putting organizations in a place to do that. Instead, many threat intelligence tools are delivering too much uncurated and irrelevant information that arrives too late to act upon. Organizations ...
10 months ago Cyberdefensemagazine.com
Debian and Ubuntu Fixed OpenSSH Vulnerabilities - Debian and Ubuntu have released security updates for their respective OS versions, addressing five flaws discovered in the openssh package. In this article, we will delve into the intricacies of these vulnerabilities, shedding light on their nature ...
10 months ago Securityboulevard.com
SSH "regreSSHion" Remote Code Execution Vulnerability in OpenSSH. - Qualys published a blog posts with details regarding a critical remote code execution vulnerability. The CVEs associated with this vulnerability are CVE-2006-5051 and CVE-2024-6387, The reason for the two CVE numbers and the use of the old 2006 CVE ...
4 months ago Isc.sans.edu
New Tool Set Found Used Against Organizations in the Middle East, Africa and the US - Unit 42 researchers observed a series of apparently related attacks against organizations in the Middle East, Africa and the U.S. We will discuss a set of tools used in the course of the attacks that reveal clues about the threat actors' activity. We ...
11 months ago Unit42.paloaltonetworks.com
Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours - In late December 2022, we observed threat actors exploiting a publicly exposed Remote Desktop Protocol host, leading to data exfiltration and the deployment of Trigona ransomware. On Christmas Eve, within just three hours of gaining initial access, ...
9 months ago Thedfirreport.com
Beijing fosters foreign influencers to spread its propaganda The Register - China is offering foreign influencers access to its vast market in return for content that sings its praises and helps to spreads Beijing's desired narratives more widely around the world, according to think tank the Australian Strategic Policy ...
11 months ago Theregister.com
Enabling Threat-Informed Cybersecurity: Evolving CISA's Approach to Cyber Threat Information Sharing - One of CISA's most important and enduring roles is providing timely and actionable cybersecurity information to our partners across the country. Nearly a decade ago, CISA stood up our Automated Indicator Sharing, or AIS, program to widely exchange ...
11 months ago Cisa.gov
Threat actors misuse OAuth applications to automate financially driven attacks - Threat actors are misusing OAuth applications as an automation tool in financially motivated attacks. Threat actors compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious ...
11 months ago Microsoft.com
Lets Open(Dir) Some Presents: An Analysis of a Persistent Actor's Activity - By analyzing tools, logs and artifacts left open to the internet, we were able to profile the threat actor and their victims. After analyzing the artifacts we can conclude with moderate confidence that the majority of the threat actor activity ...
11 months ago Thedfirreport.com
Windows Incident Response: Human Behavior In Digital Forensics, pt III - Digital forensics can provide us insight into a threat actor's sophistication and situational awareness, which can, in turn, help us understand their intent. Observing the threat actor's actions helps us understand not just their intent, but what ...
10 months ago Windowsir.blogspot.com
Lawmakers: Ban TikTok to Stop Election Misinformation! Same Lawmakers: Restrict How Government Addresses Election Misinformation! - In a case being heard Monday at the Supreme Court, 45 Washington lawmakers have argued that government communications with social media sites about possible election interference misinformation are illegal. Just this week the vast majority of those ...
8 months ago Eff.org

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)