Security Research

Responding to the CVE-2024-6387 (RegreSSHion) Vulnerability

Sarah Elkaim

Head of Product Marketing

June 1, 2024

Share

What is CVE-2024-6387?

Qualys research has discovered a critical Remote Code Execution (RCE) vulnerability, CVE-2024-6387, that has resurfaced in OpenSSH, affecting all public-facing Linux servers open on port 22. This regression, initially fixed in 2006, revolves around the use of functions that are unsafe in the context of signal handlers, and may potentially lead to RCE. 

How to Immediately Respond 

The discovery of CVE-2024-6387 underscores the importance of having proactive cloud security measures in place. Here are the steps to take to immediately ensure you are protected:

  1. Apply security patches to your OS if you have an OpenSSH version earlier than 4.4p1 or an OpenSSH version between 8.5p1 and 9.8p1 (and restrict the use of outdated SSH versions)
  2. Restrict SSH access to prevent unauthorized access and limit lateral movement 

What are the Risks Associated with CVE-2024-6387? 

SSH is used in abundance on virtually all public-facing Linux servers, making the severity of this vulnerability high. However, widespread exploitation of this vulnerability is unlikely  because attackers need very intimate knowledge of the target Linux distribution and glibc version to craft an effective exploit. This would probably require numerous failed-login attempts, which would be easy to detect. 

CVE-2024-6387 Statistics from Sweet Security

Prevent SSH Attacks Using Sweet’s Cloud Runtime Solution

Step 1: Understand Which Machines Have the Vulnerability  

To prevent SSH attacks effectively, visibility into the presence of SSH across various workloads is crucial, but it’s not enough to merely state which deployments have SSH installed on them, since this is usually the case. Understanding the runtime context is essential, as the risk only manifests if sshd is actually running on the host. 

Step 2: Pinpoint Which Images to Tackle First 

Sweet’s runtime-backed cloud application security platform provides full visibility into whether the SSH server is running and publicly exposed to traffic from the internet.

Step 3: Set Protection and Policies in Place 

  1. Implement policies that will prevent a process to run if the SSH version is below a certain threshold 
  2. Closely monitor for unusual SSH activities within your running containers that may be indicative of an attack

Step 4: Detect Exploitations Attempts 

If an attack is attempted, Sweet’s detection and response feature will identify the anomalous SSH process in real time and provide the full attack story and remediation recommendations to ensure a quick and timely response.  

About Sweet Security 

Sweet offers a unified cloud solution for protecting running applications in your cloud environment. By monitoring cloud and application runtime data, paired with advanced non-human identification and L7 capabilities, Sweet enables proactive threat detection and response, vulnerability management, and non-human identity management. Its comprehensive behavioral learning capabilities empower teams to cut through the noise and deliver actionable recommendations on critical, real-time risks.

Share the Sweetness