OpenSSH
CVE-2024-6387
HIGH
Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
DescriptionCVE.org
A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.
AnalysisAI
Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to exploit a signal handler race condition by failing to authenticate within the LoginGraceTime window, potentially yielding root-level code execution on glibc-based Linux systems. The flaw - widely known as 'regreSSHion' - affects numerous distributions and vendor appliances including Ubuntu 23.10/24.04, AlmaLinux 9, SonicWall SMA firmware, Arista EOS, NetApp ONTAP, and others. Publicly available exploit code exists and EPSS scores it at 48.06% (98th percentile), reflecting very high exploitation likelihood, though it is not currently listed in CISA KEV.
Technical ContextAI
The vulnerability is a CWE-364 (Signal Handler Race Condition) in OpenSSH's sshd privileged process. When a client fails to authenticate within LoginGraceTime (default 120 seconds), sshd's SIGALRM handler invokes functions that are not async-signal-safe (such as syslog() and its downstream malloc/free paths). An attacker who repeatedly opens TCP connections to port 22 and stalls authentication can race the signal handler against heap state, leading to memory corruption that on glibc Linux has been demonstrated to yield code execution as root. The underlying technology is the OpenSSH portable server (sshd), a regression reintroduced after CVE-2006-5051 in OpenSSH 8.5p1 when a critical logging guard was removed; versions prior to 4.4p1 and from 8.5p1 through 9.7p1 are affected. Non-glibc systems (OpenBSD, and possibly *BSD variants listed in CPE such as FreeBSD/NetBSD) are not exploitable in the same way due to differing malloc internals.
RemediationAI
Apply the vendor-released patch: upgrade to OpenSSH 9.8p1 or later, which restructures signal handling to remove the race. Distribution-specific backported packages are available - apply updates from Canonical (Ubuntu USN), Red Hat (RHSA for RHEL/OpenShift), AlmaLinux, Debian, Amazon Linux, SUSE, and NetApp/SonicWall/Arista vendor advisories as soon as available; consult the Red Hat advisory at access.redhat.com and the Qualys disclosure at blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server for cross-references. If immediate patching is not feasible, the documented workaround is to set LoginGraceTime 0 in sshd_config and restart sshd, which closes the race window but exposes sshd to denial-of-service via connection exhaustion (all MaxStartups slots can be held open indefinitely by attackers). Additional compensating controls include restricting sshd network exposure with firewall ACLs to known management ranges only, deploying rate-limiting via fail2ban or iptables connection-rate rules on TCP/22, and prioritizing patching for any internet-facing glibc Linux systems over BSD-based hosts.
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of
freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demons
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. Rated medium se
sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processin
The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password a
The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot
The resend_bytes function in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2 allows remote serv
Same weakness CWE-364 – Signal Handler Race Condition
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today