Alert essentials:
A Remote Unauthenticated Code Execution was found in glibc-based Linux systems. To date, the exploitation has only been executed in lab environments.
However, information on the flaw is public, so patch sooner rather than later.
Detailed threat description:
In lab conditions, a critical vulnerability was found in OpenSSH.
Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with ASLR. While not yet examined on 64-bit systems, it is believed these systems are also vulnerable.
The flaw is a race condition in the default installation of the OpenSSH’s server (sshd), and the exploit requires the use of patched weaknesses CVE-2006-5051 and CVE-2008-4109. Therefore, if these patches have been applied, the device(s) will not be vulnerable.
Unpatched the flaw allows threat actors to execute code with the highest privileges, bypass security mechanisms, export data, and maintain persistence.
Exploiting CVE-2024-6387 can result in a full system compromise, and Qualys has identified at least 14 million potentially vulnerable servers exposed to the Internet. To avoid compromise and limit SSH access, upgrade OpenSSH instances to 9.8p1 immediately.
This is a developing story, and the impact on some systems has yet to be determined. More information will be released when a public exploit is available and vulnerable systems are attacked.
Impacts on healthcare organizations:
As with any potential loss of life-saving technology, patient care will be severely diminished if hackers exploit this flaw and the network is unavailable.
Review business continuity plans and be prepared to provide health care services with little to no technology access in the event of a breach or incident.
Affected products / versions:
- OpenSSH’s versions earlier than 4.4p1
- Unless patches for CVE-2006-5051 and CVE-2008-4109 have been applied
- Versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable
- Due to a transformative patch for CVE-2006-5051, which made a previously unsafe function secure
- The vulnerability resurfaces in versions from 8.5p1 up to, but not including, 9.8p1 due to the accidental removal of a critical component in a function
- OpenBSD systems are unaffected as they include a security mechanism that blocks the flaw
CVEs
- CVE-2024-6387
Tenable Plugins
- 201194
Recommendations
Engineering recommendations:
- Prioritize and apply available patches for OpenSSH
- Implement network-based controls to restrict SSH access and enforce network segmentation to prevent unauthorized access and lateral movement
- Divide networks to restrict unauthorized access and lateral movements within critical environments
- Deploy systems to monitor and alert on unusual activities indicative of exploitation attempts
Leadership / program recommendations:
- Check incident reports and compliance infractions to identify areas where technology investments could better align with organizational security goals
- Improve security in your organization by developing an internal security awareness program
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
- https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server
- OpenSSH Download and Release Notes: https://www.openssh.com/releasenotes.html
- Ubuntu: https://ubuntu.com/security/CVE-2024-6387
