What is the CVSS score of CVE-2024-6387?

CVE-2024-6387 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 48.1%.

Which versions of OpenSSH are affected by CVE-2024-6387?

OpenSSH sshd contains a critical signal handler race condition (CVE-2024-6387) enabling unauthenticated remote code execution as root on Linux systems including Ubuntu 23.10/24.04, AlmaLinux 9, and…. A patch is available.

Is there a public PoC exploit available for CVE-2024-6387?

Yes, a public proof-of-concept exploit is available for CVE-2024-6387. Prioritise patching immediately. EPSS: 48.1%.

How to fix or mitigate CVE-2024-6387?

Within 24 hours: inventory systems running OpenSSH versions on Ubuntu 23.10/24.04, AlmaLinux 9, and other affected distributions; identify all internet-facing SSH endpoints. Within 7 days: deploy vendor-released OpenSSH patches to all production systems through Ubuntu, AlmaLinux, and appliance vendor security updates. Within 30 days: apply patches to all remaining systems including development and non-production infrastructure.

OpenSSH CVE-2024-6387

HIGH

Signal Handler Race Condition (CWE-364)

2024-07-01 secalert@redhat.com

Information Disclosure SSH macOS Active Iq Unified Manager Bootstrap Os Debian Linux E Series Santricity Os Controller Enterprise Linux Enterprise Linux Eus Enterprise Linux For Arm 64 Enterprise Linux For Arm 64 Eus Enterprise Linux For Ibm Z Systems Enterprise Linux For Ibm Z Systems Eus Enterprise Linux For Power Little Endian Enterprise Linux For Power Little Endian Eus Enterprise Linux Server Aus Freebsd Ontap Openshift Container Platform Ubuntu Linux Almalinux Ontap Select Deploy Administration Utility Ontap Tools Openssh Netbsd A250 Firmware 500F Firmware Eos Sma 6200 Firmware Sma 7200 Firmware Sma 6210 Firmware Sma 7210 Firmware Sma 8200V Firmware Sra Ex 7000 Firmware A1K Firmware A70 Firmware A90 Firmware A700S Firmware 8300 Firmware 8700 Firmware A400 Firmware C400 Firmware C250 Firmware A800 Firmware C800 Firmware A900 Firmware A9500 Firmware C190 Firmware A150 Firmware A220 Firmware Fas2720 Firmware Fas2750 Firmware Fas2820 Firmware Linux Enterprise Micro Amazon Linux

8.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

DescriptionNVD

A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.

AnalysisAI

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to exploit a signal handler race condition by failing to authenticate within the LoginGraceTime window, potentially yielding root-level code execution on glibc-based Linux systems. The flaw - widely known as 'regreSSHion' - affects numerous distributions and vendor appliances including Ubuntu 23.10/24.04, AlmaLinux 9, SonicWall SMA firmware, Arista EOS, NetApp ONTAP, and others. Publicly available exploit code exists and EPSS scores it at 48.06% (98th percentile), reflecting very high exploitation likelihood, though it is not currently listed in CISA KEV.

Technical ContextAI

The vulnerability is a CWE-364 (Signal Handler Race Condition) in OpenSSH's sshd privileged process. When a client fails to authenticate within LoginGraceTime (default 120 seconds), sshd's SIGALRM handler invokes functions that are not async-signal-safe (such as syslog() and its downstream malloc/free paths). An attacker who repeatedly opens TCP connections to port 22 and stalls authentication can race the signal handler against heap state, leading to memory corruption that on glibc Linux has been demonstrated to yield code execution as root. The underlying technology is the OpenSSH portable server (sshd), a regression reintroduced after CVE-2006-5051 in OpenSSH 8.5p1 when a critical logging guard was removed; versions prior to 4.4p1 and from 8.5p1 through 9.7p1 are affected. Non-glibc systems (OpenBSD, and possibly *BSD variants listed in CPE such as FreeBSD/NetBSD) are not exploitable in the same way due to differing malloc internals.

RemediationAI

Apply the vendor-released patch: upgrade to OpenSSH 9.8p1 or later, which restructures signal handling to remove the race. Distribution-specific backported packages are available - apply updates from Canonical (Ubuntu USN), Red Hat (RHSA for RHEL/OpenShift), AlmaLinux, Debian, Amazon Linux, SUSE, and NetApp/SonicWall/Arista vendor advisories as soon as available; consult the Red Hat advisory at access.redhat.com and the Qualys disclosure at blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server for cross-references. If immediate patching is not feasible, the documented workaround is to set LoginGraceTime 0 in sshd_config and restart sshd, which closes the race window but exposes sshd to denial-of-service via connection exhaustion (all MaxStartups slots can be held open indefinitely by attackers). Additional compensating controls include restricting sshd network exposure with firewall ACLs to known management ranges only, deploying rate-limiting via fail2ban or iptables connection-rate rules on TCP/22, and prioritizing patching for any internet-facing glibc Linux systems over BSD-based hosts.

CVE-2024-6387 vulnerability details – vuln.today

Back

OpenSSH CVE-2024-6387

CVSS VectorNVD

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code