Skip to main content

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

DescriptionCVE.org

A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.

AnalysisAI

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to exploit a signal handler race condition by failing to authenticate within the LoginGraceTime window, potentially yielding root-level code execution on glibc-based Linux systems. The flaw - widely known as 'regreSSHion' - affects numerous distributions and vendor appliances including Ubuntu 23.10/24.04, AlmaLinux 9, SonicWall SMA firmware, Arista EOS, NetApp ONTAP, and others. Publicly available exploit code exists and EPSS scores it at 48.06% (98th percentile), reflecting very high exploitation likelihood, though it is not currently listed in CISA KEV.

Technical ContextAI

The vulnerability is a CWE-364 (Signal Handler Race Condition) in OpenSSH's sshd privileged process. When a client fails to authenticate within LoginGraceTime (default 120 seconds), sshd's SIGALRM handler invokes functions that are not async-signal-safe (such as syslog() and its downstream malloc/free paths). An attacker who repeatedly opens TCP connections to port 22 and stalls authentication can race the signal handler against heap state, leading to memory corruption that on glibc Linux has been demonstrated to yield code execution as root. The underlying technology is the OpenSSH portable server (sshd), a regression reintroduced after CVE-2006-5051 in OpenSSH 8.5p1 when a critical logging guard was removed; versions prior to 4.4p1 and from 8.5p1 through 9.7p1 are affected. Non-glibc systems (OpenBSD, and possibly *BSD variants listed in CPE such as FreeBSD/NetBSD) are not exploitable in the same way due to differing malloc internals.

RemediationAI

Apply the vendor-released patch: upgrade to OpenSSH 9.8p1 or later, which restructures signal handling to remove the race. Distribution-specific backported packages are available - apply updates from Canonical (Ubuntu USN), Red Hat (RHSA for RHEL/OpenShift), AlmaLinux, Debian, Amazon Linux, SUSE, and NetApp/SonicWall/Arista vendor advisories as soon as available; consult the Red Hat advisory at access.redhat.com and the Qualys disclosure at blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server for cross-references. If immediate patching is not feasible, the documented workaround is to set LoginGraceTime 0 in sshd_config and restart sshd, which closes the race window but exposes sshd to denial-of-service via connection exhaustion (all MaxStartups slots can be held open indefinitely by attackers). Additional compensating controls include restricting sshd network exposure with firewall ACLs to known management ranges only, deploying rate-limiting via fail2ban or iptables connection-rate rules on TCP/22, and prioritizing patching for any internet-facing glibc Linux systems over BSD-based hosts.

More in SSH

View all
CVE-2014-6271 CRITICAL POC
9.8 Sep 24

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which

CVE-2014-6278 HIGH POC
8.8 Sep 30

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi

CVE-2014-7169 CRITICAL POC
9.8 Sep 25

GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of

CVE-2012-6066 CRITICAL POC
9.3 Dec 04

freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demons

CVE-2014-6277 CRITICAL POC
10.0 Sep 27

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi

CVE-2023-25136 MEDIUM POC
6.5 Feb 03

OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. Rated medium se

CVE-2016-6210 MEDIUM POC
5.9 Feb 13

sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static

CVE-2015-5600 HIGH POC
8.1 Aug 03

The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processin

CVE-2016-6515 HIGH POC
7.5 Aug 07

The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password a

CVE-2012-5975 CRITICAL POC
9.3 Dec 04

The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6

CVE-2023-48795 MEDIUM POC
5.9 Dec 18

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot

CVE-2016-0777 MEDIUM
6.5 Jan 14

The resend_bytes function in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2 allows remote serv

Share

CVE-2024-6387 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy