What is CVE-2024-6387?
Qualys research has discovered a critical Remote Code Execution (RCE) vulnerability, CVE-2024-6387, that has resurfaced in OpenSSH, affecting all public-facing Linux servers open on port 22. This regression, initially fixed in 2006, revolves around the use of functions that are unsafe in the context of signal handlers, and may potentially lead to RCE.
How to Immediately Respond
The discovery of CVE-2024-6387 underscores the importance of having proactive cloud security measures in place. Here are the steps to take to immediately ensure you are protected:
- Apply security patches to your OS if you have an OpenSSH version earlier than 4.4p1 or an OpenSSH version between 8.5p1 and 9.8p1 (and restrict the use of outdated SSH versions)
- Restrict SSH access to prevent unauthorized access and limit lateral movement
What are the Risks Associated with CVE-2024-6387?
SSH is used in abundance on virtually all public-facing Linux servers, making the severity of this vulnerability high. However, widespread exploitation of this vulnerability is unlikely because attackers need very intimate knowledge of the target Linux distribution and glibc version to craft an effective exploit. This would probably require numerous failed-login attempts, which would be easy to detect.
CVE-2024-6387 Statistics from Sweet Security
Prevent SSH Attacks Using Sweet’s Cloud Runtime Solution
Step 1: Understand Which Machines Have the Vulnerability
To prevent SSH attacks effectively, visibility into the presence of SSH across various workloads is crucial, but it’s not enough to merely state which deployments have SSH installed on them, since this is usually the case. Understanding the runtime context is essential, as the risk only manifests if sshd is actually running on the host.
Step 2: Pinpoint Which Images to Tackle First
Sweet’s runtime-backed cloud application security platform provides full visibility into whether the SSH server is running and publicly exposed to traffic from the internet.
Step 3: Set Protection and Policies in Place
- Implement policies that will prevent a process to run if the SSH version is below a certain threshold
- Closely monitor for unusual SSH activities within your running containers that may be indicative of an attack
Step 4: Detect Exploitations Attempts
If an attack is attempted, Sweet’s detection and response feature will identify the anomalous SSH process in real time and provide the full attack story and remediation recommendations to ensure a quick and timely response.
About Sweet Security
Sweet offers a unified cloud solution for protecting running applications in your cloud environment. By monitoring cloud and application runtime data, paired with advanced non-human identification and L7 capabilities, Sweet enables proactive threat detection and response, vulnerability management, and non-human identity management. Its comprehensive behavioral learning capabilities empower teams to cut through the noise and deliver actionable recommendations on critical, real-time risks.