July 4, 2024 HawkEye

regreSSHion: RCE Vulnerability in OpenSSH Server (CVE-2024-6387)

The Qualys research team has discovered a high-severity remote code execution (RCE) vulnerability in OpenSSH’s server (CVE-2024-6387).


The Secure Shell (SSH) protocol, which is essential for secure communication over unprotected networks, is the foundation of the OpenSSH (Open Secure Shell) suite of secure networking tools. It is a vital tool for secure data connection and remote server control since it offers strong encryption to guarantee privacy and safe file transfers. OpenSSH is widely recognized for its robust security and authentication functionalities. It is compatible with numerous encryption algorithms and comes standard on several Unix-like operating systems, such as Linux and macOS.

The Qualys research team has discovered a high-severity remote code execution (RCE) vulnerability in OpenSSH’s server (CVE-2024-6387). This vulnerability is particularly concerning because it regenerates an issue that was resolved in 2006, demonstrating that even one of the most widely used security programs still contains undiscovered vulnerabilities. Despite being a major vulnerability, CVE-2024-6387 is difficult to exploit in real-world scenarios, and no one has been able to utilize it to target remote devices as of yet. Nonetheless, you must recognize the risk and take precautions to protect your systems.

This has a significant effect on cloud systems since SSH is frequently used to access Kubernetes nodes and is occasionally utilized within Kubernetes workloads.



OpenSSH server (sshd) was found to have a signal handler race situation vulnerability that affected its default configuration. The SIGALRM (signal alarm) handler is invoked asynchronously if an SSH client fails to authenticate within the LoginGraceTime period (by default, 120 seconds). However, some of the functions it calls, such as syslog(), are not async-signal-safe. In Linux distributions based on glibc, the async-signal-unsafe operations malloc() and free() are called by syslog() in specific circumstances. Heap corruption can occur if a call to one of these is stopped by code that also uses a heap-related function. This can be exploited by setting up the heap in a way that permits arbitrary code execution, executing with root privileges on sshd. 

After analyzing the underlying reason, the researchers who found this vulnerability concluded that it was a regression of an earlier vulnerability (CVE-2006-5051), which means that other code changes unintentionally brought back the original vulnerability.



If this vulnerability is taken advantage of, it might result in a full system compromise, where an attacker can run any code with the highest level of privileges, take control of the entire system, manipulate data, install malware, and set up backdoors for long-term access. It might make it easier for attackers to spread throughout the network, using a compromised system as an entry point to access and take advantage of additional vulnerabilities in the organization’s infrastructure.

Furthermore, by bypassing vital security measures like firewalls, intrusion detection systems, and logging mechanisms, attackers would be able to conceal their activity further if they were to obtain root access. Significant data breaches and leaks could also come from this, granting attackers access to all data kept on the system, including private or sensitive material that might be taken or made public.

Because this vulnerability relies on a remote race condition, it is difficult to exploit and requires several tries to be successful. Address Space Layout Randomization (ASLR) may need to be overcome because of the potential for memory corruption. Developments in deep learning could boost the rate of exploitation considerably, giving attackers a big advantage when it comes to taking advantage of these vulnerabilities.


Impacted versions:

The following versions of OpenSSH are impacted by this vulnerability:  

  • OpenSSH versions earlier than 4.4p1 
  • OpenSSH versions between 8.5p1 and 9.8p1 (excluding) 

The vulnerability is exploitable on glibc-based Linux distributions (e.g., Debian-based). 


Active exploitation:

No real-world exploitation of this issue has been found as of July 1st, 2024. The exploitability of the vulnerability has only been demonstrated in lab settings on 32-bit Linux/glibc systems (with ASLR). Although it hasn’t been shown, exploiting 64-bit computers is thought to be feasible. 

A basic proof of concept was made available on GitHub. We were unable to confirm the success of this code because of the lengthy time requirements of the exploitation; however, analysis shows that this is a valid exploitation of the vulnerability, as reported by the researchers who found it.



A targeted and multi-layered security approach is required to address the regreSSHion vulnerability in OpenSSH, which allows remote code execution on Linux computers. Here are some quick actions and smart suggestions for organizations to protect themselves from this severe threat:


  • Patch Management: Apply OpenSSH patches as soon as they are available, and give continuing updating procedures top priority. 
  • Enhanced access control: Restrict SSH access using network-based safeguards to reduce the likelihood of an attack. 
  • Network segmentation and intrusion detection: Divide networks to prevent unauthorized users from entering or leaving sensitive areas, and deploy tools to monitor odd activity that could be a sign of an effort at exploitation. 

Set LoginGraceTime to 0 in the configuration file if updating or recompiling sshd is not possible. This eliminates the possibility of remote code execution but exposes sshd to a denial of service attack by using up all MaxStartups connections.

When upgrading or recompiling sshd isn’t an option, experts suggest configuring the configuration file with ‘LoginGraceTime’ set to 0. Although the RCE risk is reduced by this workaround, they point out that it exposes SSHd to a DoS by using up all of the MaxStartups connections.



  • https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server 
  • https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt 
  • https://github.com/acrono/cve-2024-6387-poc
, ,


We welcome you to contact us for more information
about HAWKEYE - SOC As A Service.