On July 1, 2024, a critical signal handler race condition vulnerability was disclosed in OpenSSH servers on glibc-based Linux systems.
Using Palo Alto Networks Xpanse data, we observed 23 million instances of OpenSSH servers including all versions.
We saw over 7 million exposed instances of OpenSSH versions 8.5p1-9.7p1 globally as of July 1, 2024.
Including older versions, we see 7.3 million total.
This is likely to be an overcount of vulnerable versions as there is no reliable way to account for backporting, in which instances are running patched versions but displaying impacted version numbers.
We have been unable to successfully exploit the CVE-2024-6387 vulnerability with this PoC to achieve remote code execution.
Customers can access external SSH exposure detection from Cortex Xpanse and XSIAM. Customers are also better protected by Prisma Cloud through tooling such as Prisma Cloud's agent or agentless vulnerability scanning and Software Composition Analysis tools, which assist in identifying vulnerable resources across the cloud development lifecycle.
OpenBSD is not vulnerable because its signal alarm handler uses syslog r(), an async-signal-safe version of syslog().
Table 1 shows the vulnerable versions associated with CVE-2024-6387.
Breakdown of vulnerable OpenSSH versions associated with CVE-2024-6387.
We have been unable to successfully exploit the CVE-2024-6387 vulnerability with this PoC to achieve remote code execution in our testing environment.
Palo Alto Networks recommends updating all OpenSSH instances to the latest version of OpenSSH, later than v9.8p1. Prisma Cloud detects the presence of any cloud resource that is vulnerable to CVE-2024-6387 as shown in Figure 1, including VM, serverless, container resources and cloud image repositories.
Prisma Cloud customers can query their cloud environments for cloud resources that contain the CVE-2024-6387 vulnerability that are also internet accessible, as shown in Figure 2.
If instances of the RegreSSHion vulnerability are found within cloud resources, they should be updated to the latest version of OpenSSH and an investigation should be started to ensure no malicious connections were established with the vulnerable cloud resources.
Fields endpoint name, application name, raw version, product major version, product minor version, product rev.
CVE-2024-6387 is a signal handler race condition vulnerability in OpenSSH servers on glibc-based Linux systems.
This vulnerability impacts all OpenSSH server versions between 8.5p1-9.8p1, as well as versions earlier than 4.4p1, if they've not backport-patched against CVE-2006-5051 or patched against CVE-2008-4109.
Prisma Cloud has detection capabilities in place for CVE-2024-6387.
Prevention capabilities also exist with Prisma Cloud Agent and Agentless vulnerability scanning.
Prisma Cloud Software Composition Analysis can detect vulnerable cloud resources throughout the cloud development lifecycle, including within cloud image repositories.
This Cyber News was published on unit42.paloaltonetworks.com. Publication date: Tue, 02 Jul 2024 18:43:05 +0000