1. Home
    2. »
  2. Blog
    3. »
  3. Incident Response
    4. » RegreSSHion CVE-2024-6387 as a chunk of attack

RegreSSHion CVE-2024-6387 as a chunk of attack

- Posted in Incident Response by - Permalink
RegreSSHion CVE-2024-6387 as a chunk of attack

Background: Qualys researchers have announced that a side effect, stemming from the default inclusion of OpenSSH in Ubuntu systems and widespread use in other distros, allowed them to achieve Remote Code Execution.

Core root of cause: When a user attempts to log in to the operating system via SSH, at some point during the loginGraceTime, OpenSSH calls the function named SIGALRM, which is an asynchronous call. Following this, the function SYSLOG() is invoked, which is a privileged system call, meaning it can perform any action using root privileges.

In which way researchers had been gained to code execution: The researchers manipulated the noted behavior and subsequently exploited other available CVEs in Linux, such as CVE-2003-0693 (Buffer Management Error) or CVE-2006-5051 (DoS/Crash CVE), in conjunction with C/C++ functions like malloc() and free(). The malloc() function is responsible for allocating precise memory, and if the free() function is called twice, it provides the capability to write in memory. By combining all these conditions, they were able to achieve Remote Code Execution (RCE).

Ideal condition to use this CVE: The Machine GracePeriod should be set to 600 seconds and should not have any network rate limit if the targeted machine is in the cloud. In addition to the vulnerable OpenSSH, the machine should also have other CVEs that an attacker can chain together to bypass ASLR and similar security measures.

Impacted OpenSSH versions: 8.5p1 till 9.7p1 ( inclusive )

Ubuntu distros list: - Trusty 14: Not impacted, - Bionic 18 : Not impacted, - Focal 20: Not impacted, - Jammy 22: Need to upgrade to OpenSSH 1:8.9p1-3ubuntu0.10, - Mantic 23: Need to upgrade to 1:9.3p1-1ubuntu3.6, - Noble 24: Need to upgrade to 1:9.6p1-3ubuntu13.3

Mitigation step for Ubuntu distros: 1. Check lsb release "lsb_release -a" . 2. Check ssh or sshd version . 3. If you see vulnerable version , then update it .

Detection via SYSLOG logs: Always check for the existence of fatal errors such as "Timeout before authentication." If this error occurs more than 1000 times within a specific time range, it is a strong signal that some hosts are attempting to exploit assets. Also reduce the value of GracePeriodTime into 100 second .

My own conclusion: I used to think that this CVE would be suitable for privileged escalation by a threat actor. However, in another scenario, I believe it could be used as a core component of a highly targeted campaign, where the attacker can leverage zero-day vulnerabilities and other similar unknown CVEs.

Happy hunting !

Tags:

Related posts

« »