This post is also available in: 日本語 (Japanese)

Executive Summary

On July 1, 2024, a critical signal handler race condition vulnerability was disclosed in OpenSSH servers (sshd) on glibc-based Linux systems. This vulnerability, called RegreSSHion and tracked as CVE-2024-6387, can result in unauthenticated remote code execution (RCE) with root privileges. This vulnerability has been rated High severity (CVSS 8.1).

This vulnerability impacts the following OpenSSH server versions:

  • Open SSH version between 8.5p1-9.8p1
  • Open SSH versions earlier than 4.4p1, if they’ve not backport-patched against CVE-2006-5051 or patched against CVE-2008-4109

The SSH features in PAN-OS are not affected by CVE-2024-6387.

Using Palo Alto Networks Xpanse data, we observed 23 million instances of OpenSSH servers including all versions. We saw over 7 million exposed instances of OpenSSH versions 8.5p1-9.7p1 globally as of July 1, 2024. Including older versions (4.3p1 and earlier), we see 7.3 million total. However, this is likely to be an overcount of vulnerable versions as there is no reliable way to account for backporting, in which instances are running patched versions but displaying impacted version numbers. These numbers also do not account for OS-level specifications or configurations that could be required for the vulnerability.

While there is PoC code for this vulnerability, there is no known activity in the wild as of July 2, 2024. Our testing of this code suggests it is not functional. We have been unable to successfully exploit the CVE-2024-6387 vulnerability with this PoC to achieve remote code execution.

Palo Alto Networks also recommends updating all OpenSSH instances to the latest version of OpenSSH, later than v9.8p1.

Palo Alto Networks customers receive protections from and mitigations for CVE-2024-6387 in the following ways:

The Unit 42 Incident Response team can also be engaged to help with a compromise or to provide a proactive assessment to lower your risk.

Palo Alto Networks customers are better protected from vulnerabilities discussed in this article through Cortex XSOAR, XDR and XSIAM. Customers are also better protected through our Next-Generation Firewall with Cloud-Delivered Security Services, including Advanced WildFire. Customers can access external SSH exposure detection from Cortex Xpanse and XSIAM. Customers are also better protected by Prisma Cloud through tooling such as Prisma Cloud’s agent or agentless vulnerability scanning and Software Composition Analysis (SCA) tools, which assist in identifying vulnerable resources across the cloud development lifecycle.

Vulnerabilities Discussed CVE-2024-6387

Details of the Vulnerability

Researchers at Qualys discovered that the OpenSSH server process sshd is vulnerable to a signal handler race condition, enabling unauthenticated remote code execution with root privileges on glibc-based Linux systems in its default configuration. OpenSSH is an open-source suite of tools for remote sign-in and data transfer, using the Secure Shell (SSH) protocol.

This vulnerability can be exploited remotely on glibc-based Linux systems due to syslog() calling async-signal-unsafe functions like malloc() and free(), leading to unauthenticated remote code execution as root.

This occurs because sshd's privileged code is not sandboxed and runs with full privileges. OpenBSD is not vulnerable because its signal alarm (SIGALRM) handler uses syslog_r(), an async-signal-safe version of syslog().

Table 1 shows the vulnerable versions associated with CVE-2024-6387.

Version Vulnerability Determination
OpenSSH < 4.4p1 YES
If backport-patched against CVE-2006-5051 and CVE-2008-4109: NO
4.4p1 <= OpenSSH < 8.5p1 NO
8.5p1 <= OpenSSH < 9.8p1 YES

Table 1. Breakdown of vulnerable OpenSSH versions associated with CVE-2024-6387.

According to OpenSSH’s release notes on July 1, 2024, successful exploitation has been shown on 32-bit Linux/glibc systems with address space layout randomization (ASLR). This exploitation typically requires 6-8 hours of continuous connections under lab conditions up to the server's maximum capacity.

A public PoC for CVE 2024-6387 was committed to the repository of GitHub user zgzhang by user 7etsuo on July 1, 2024. We have been unable to successfully exploit the CVE-2024-6387 vulnerability with this PoC to achieve remote code execution in our testing environment.

Using Palo Alto Networks Xpanse data, we observed 23 million instances of OpenSSH servers including all versions. We saw over 7 million exposed instances of OpenSSH versions 8.5p1-9.7p1 globally as of July 1, 2024. Including older versions (4.3p1 and earlier), we see 7.3 million total. However, this is likely to be an overcount of vulnerable versions as there is no reliable way to account for backporting, in which instances are running patched versions but displaying impacted version numbers. These numbers also do not account for OS-level specifications or configurations that could be required for the vulnerability.

Table 2 shows the geographic distribution of our observations of vulnerable versions 8.5p1-9.7p1.

Country Unique IP Addresses
United States 2,173,896
Germany  905,859
China 435,490
Singapore  296,226
Russia 275,197
The Netherlands 261,212
France  248,153
United Kingdom 237,329
India 230,320
Japan  227,663
Korea  136,852
Canada 119,924
Finland 110,516
Hong Kong 103,685
Australia 100,780

Table 2. Top 15 Countries Exposed to CVE-2024-6387 as of July 1, 2024.

Current Scope of the Attack

While there is PoC code for this vulnerability, there is no known activity in the wild as of July 2, 2024. Our testing of this code suggests it is not functional in our testing environment. We have been unable to successfully exploit the CVE-2024-6387 vulnerability with this PoC to achieve remote code execution.

Interim Guidance

Palo Alto Networks recommends updating all OpenSSH instances to the latest version of OpenSSH, later than v9.8p1.

Prisma Cloud detects the presence of any cloud resource that is vulnerable to CVE-2024-6387 as shown in Figure 1, including VM, serverless, container resources and cloud image repositories.

Screenshot of a "CVE Viewer" in Prisma Cloud, displaying a search bar with the text "CVE-2024-6387" entered, and search results showing columns for CVE, Product, Date, Review, Severity, Affected Version, and Fix Date. The columns for Product, Date, Review, and Fix date are empty, while the Severity column lists "High."
Figure 1. Prisma Cloud vulnerability detection status.

Prisma Cloud customers can query their cloud environments for cloud resources that contain the CVE-2024-6387 vulnerability that are also internet accessible, as shown in Figure 2.

Screenshot of a digital interface for searching vulnerabilities with a focus on a specific CVE ID. Features include a search bar labeled "INVESTIGATE," buttons for "Background Jobs" and a query library, and a section to hide or display the search query. The main display shows a highlighted CVE ID, "CVE-2024-6387," in the process of being added for investigation focused on the term "Vulnerability.
Figure 2. Prisma Cloud investigation for CVE-2024-6387.

If instances of the RegreSSHion vulnerability are found within cloud resources, they should be updated to the latest version of OpenSSH and an investigation should be started to ensure no malicious connections were established with the vulnerable cloud resources.

Unit 42 Managed Threat Hunting Queries

The Unit 42 Managed Threat Hunting team continues to monitor any developments related to the exploitation of this CVE. Cortex XDR customers can use the XQL query below to identify hosts running an affected version of OpenSSH.

Conclusion

CVE-2024-6387 (aka RegreSSHion) is a signal handler race condition vulnerability in OpenSSH servers (sshd) on glibc-based Linux systems. This vulnerability is rated High severity (CVSS 8.1), and can result in unauthenticated remote code execution (RCE) with root privileges.

This vulnerability impacts all OpenSSH server versions between 8.5p1-9.8p1, as well as versions earlier than 4.4p1, if they’ve not backport-patched against CVE-2006-5051 or patched against CVE-2008-4109. The SSH features in PAN-OS are not affected by CVE-2024-6387.

While there is PoC code for this vulnerability, there is no known activity in the wild as of July 2, 2024. Our testing of this code suggests it is not functional in our testing environment. We have been unable to successfully exploit the CVE-2024-6387 vulnerability with this PoC to achieve remote code execution.

Palo Alto Networks Product Protections for CVE-2024-6387

Palo Alto Networks customers can leverage a variety of product protections and updates to identify and defend against this threat.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America Toll-Free: 866.486.4842 (866.4.UNIT42)
  • EMEA: +31.20.299.3130
  • APAC: +65.6983.8730
  • Japan: +81.50.1790.0200

Cortex XSOAR

Cortex XSOAR has released a response pack and playbook for CVE-2024-6387 to help automate and expedite the mitigation process. This playbook automates the following tasks: It begins by collecting, extracting, and enriching indicators. It then searches for vulnerable endpoints using Prisma Cloud and Cortex XDR XQL queries. If vulnerable endpoints are found, there is an option to send a notification email.

Finally, during the mitigation phase, the user is promptly notified with the official OpenSSH CVE-2024-6387 patch and Unit 42 mitigation recommendations.

CVE-2024-6387_-_OpenSSH_RegreSSHion_RCE
Figure 3. Flowchart from Cortex Playbook for CVE-2024-6387.

Cortex XDR and XSIAM

The Cortex XDR and XSIAM agent has multiple layers of defense protecting our customers from activities that might be performed by exploiting this vulnerability. These include the Exploit Prevention, Local AI analysis, Wildfire, Behavioral Threat Protection (BTP), and Reverse Shell Protection modules that stop malicious activity such as this at first sight.

Thanks to our multi-layer security approach, we have different capabilities in place to prevent those activities, such as Behavioral Threat Protection (BTP), Advanced WildFire (AWF), Local Analysis (LA) and Reverse Shell Protection.

Cortex Xpanse

Cortex Xpanse has the ability to identify exposed vulnerable OpenSSH devices on the public internet and escalate these findings to defenders. Customers can enable alerting on this risk by ensuring that the Insecure OpenSSHAttack Surface Rule is enabled. Identified findings can either be viewed in the Threat Response Center or in the incident view of Expander. These findings are also available for Cortex XSIAM customers who have purchased the ASM module. Cortex Xpanse and XSIAM also have the ability to automatically mitigate vulnerable exposed OpenSSH servers.

Prisma Cloud

Prisma Cloud has detection capabilities in place for CVE-2024-6387. Prevention capabilities also exist with Prisma Cloud Agent and Agentless vulnerability scanning. Additionally, Prisma Cloud Software Composition Analysis (SCA) can detect vulnerable cloud resources throughout the cloud development lifecycle, including within cloud image repositories.

Additional Resources

Updated July 3, 2024, at 7:04 a.m. PT to make a small update to the protections information for Cortex XDR and XSIAM. 

Updated July 2, 2024, at 4:20 p.m. PT to adjust for consistency and update protections information for Cortex XDR and XSIAM. 

Updated July 2, 2024, at 1:52 p.m. PT to add product protections information for Cortex XSOAR. 

Updated July 8, 2024, at 2:43 p.m. PT to add Figure 3. 

Updated July 10, 2024, at 3:11 p.m. PT to update the Cortex XSOAR information. 

Enlarged Image