New critical SSH vulnerability released

In this blog, we cover the new SSH vulnerability CVE-2024-6387 (“regreSSHion”), its impact, and essential actions to secure your systems.

CVE-2024-6387 overview

On Monday, the 1st of July, you may have seen that a new SSH vulnerability was released, termed “regreSSHion,” and labelled as CVE-2024-6387. The re-introduction of a previously patched OpenSSH vulnerability allows for unauthenticated remote code execution. It affects OpenSSH versions from 8.5p1 up to but does not include 9.8p1 for public-facing servers. Immediate attention and action are required to secure your infrastructure. Detailed technical details about this vulnerability are available in the Qualys report here.

However, here are the top takeaways:

  • This affects Linux and macOS systems as OpenSSH is a standard program they use.
  • The primary threat is to public-facing servers running the above OSs.
  • No public POCs currently exist, but independent researchers report they have been able to reproduce the CVE.
  • Current estimates are that it takes 6-8 hours of constant requests to achieve exploitation.
  • Because of the large number of request tries required for exploitation, tools like Fail2Ban are expected to provide adequate protection until patches can be applied.

Cognisys’ SmartScan customers were contacted yesterday, informing them of the vulnerability and if their assets were affected.

If you would like more information on this new threat or any other cyber security concerns, we are happy to help.

Recommended actions

1. Immediate patching

  • Update OpenSSH to the latest version that addresses this vulnerability.
  • Follow the instructions provided by your Linux distribution for updating OpenSSH.

2. Temporary mitigations

Fail2Ban configuration:

  • Install and configure Fail2Ban to block IP addresses that show malicious signs, such as too many password failures.
  • Example configuration for /etc/fail2ban/jail.local:

Disable root login:

  • Modify /etc/ssh/sshd_config to disable root login.
  • Restart the SSH service: sudo systemctl restart sshd

3. Network restrictions

  • Restrict SSH access to trusted IP addresses using firewall rules.
  • Example using iptables:

4. Monitoring and logging:

  • Enable detailed logging for SSH and monitor for unusual activity.
  • Regularly review logs for unauthorised access attempts.

For more detailed information, please refer to the official Qualys blog post.

Cognisys CVE Checker Tool release

Members of Cognisys technical team have created a python script that can be used to detect external and internal facing assets that are running likely vulnerable versions of OpenSSH.

More details can be found here – https://github.com/CognisysGroup/CVE-2024-6387-Checker

To run the tool, simply execute the following:

The csv should look something like:

Thanks for reading and stay secure.

Subscribe to receive the latest cyber insights

RECENT UPDATES

Six weeks to success: Introw’s fast-tracked ISO 27001

CASE STUDY

Six weeks to success: Introw’s fast-tracked ISO 27001

Learn how Introw achieved ISO 27001 certification in just six weeks with Cognisys’ expert guidance and Vanta’s automated assessments, enhancing data security and boosting client trust.

The biggest cyber attacks and vulnerabilities from October 2024

NEWS

The biggest cyber attacks and vulnerabilities from October 2024

Insights and trends from recent cyber threats and vulnerabilities from October.

Cognisys expands its global reach to the USA

BLOG

Cognisys expands its global reach to the USA

Our launch marks an exciting milestone in our mission to Deliver Trust Worldwide as we bring our proven cyber security expertise to North America.