OpenSSH Scanner for CVE-2024-6387 (RegreSSHion)
This free OpenSSH vulnerability scanner checks if CVE-2024-6387 - aka the regreSSHion vulnerability - affects your target.
Unauthenticated attackers can exploit this high-risk security issue to gain Remote Code Execution and fully compromise the server to steal confidential information, install ransomware, or pivot to the internal network.
If you’d like to detect other vulnerabilities, this free tool is part of the premium version of our Network Vulnerability Scanner, whose Deep Scan option identifies over 11.000 CVEs. For full access to it and other 20+ tools, check out our pricing plans.
Network Vulnerability ScannerThis free OpenSSH vulnerability scanner checks if CVE-2024-6387 - aka the regreSSHion vulnerability - affects your target.
Unauthenticated attackers can exploit this high-risk security issue to gain Remote Code Execution and fully compromise the server to steal confidential information, install ransomware, or pivot to the internal network.
What is CVE-2024-6387, the regreSSHion vulnerability?
CVE-2024-6387 enables remote, unauthenticated attackers to execute code with unsandboxed root privileges on glibc-based Linux systems. This vulnerability, named as a regression, refers to CVE-2006-5051, a "Signal handler race condition in OpenSSH before version 4.4 that allowed remote attackers to cause a denial of service (crash) and potentially execute arbitrary code."
This regression was introduced in October 2020 (OpenSSH 8.5p1) by commit 752250c ("revised log infrastructure for OpenSSH"), which accidentally removed an #ifdef DO_LOG_SAFE_IN_SIGHAND from the sigdie() function. This function is directly called by SSHD's SIGALRM handler.
As a result, if a client fails to authenticate within the LoginGraceTime period (120 seconds by default, 600 seconds in older OpenSSH versions), SSHD's SIGALRM handler is called asynchronously. However, this signal handler invokes various functions that are not async-signal-safe, such as syslog(). This race condition affects SSHD in its default configuration.
How we detect CVE-2024-6387, the OpenSSH vulnerability
Our Network Vulnerability Scanner uses a version-based detection, by grabbing the banner from the OpenSSH service.
If the version is between 8.5p1 and 9.7p1, we consider the target as potentially vulnerable.
CVE-2024-6387 severity
CVE-2024-6387 has a high severity CVSSv3 score of 8.1 .
How to fix regreSSHion and mitigate CVE-2024-6387
The best course of action is to update OpenSSH to version 9.8p1, which includes a patch to fix this issue and offers improved defense-in-depth.
If updating is not feasible, you can manually fix the vulnerability by disabling the async-signal-unsafe code in the log.c:sshsigdie function:
sshsigdie(const char *file, const char *func, int line, int showfunc,
LogLevel level, const char *suffix, const char *fmt, ...)
{
#if 0
va_list args;
va_start(args, fmt);
sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
suffix, fmt, args);
va_end(args);
#endif
_exit(1);
} If updating or recompiling SSHD is not an option, you can mitigate the race condition by setting LoginGraceTime to 0 in the configuration file. However, this should be a last resort, as it makes SSHD vulnerable to Denial of Service attacks, creating another set of issues.
OpenSSH detection references for CVE-2024-6387
https://pentest-tools.com/blog/regresshion-cve-2024-6387
https://pentest-tools.com/vulnerabilities-exploits/openssh-remote-code-execution_22925
https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
OpenSSH scanner report for CVE-2024-6387
Now that you’ve found how to scan for this OpenSSH vulnerability quickly and at zero cost, maybe you’re curious what you’ll get after the scan finishes.
Here’s a sample report from our free OpenSSH vulnerability scanner for CVE-2024-6387, which you can export as PDF. This is the kind of proof and remediation advice you’ll get if our OpenSSH vulnerability scanner finds any vulnerable systems in your infrastructure:
About our Network Vulnerability Scanner
Our Network Vulnerability Scanner is a well-rounded tool for all your network security assessments.
It combines multiple engines and fine-tuned (customizable) scan settings which surface over 20.000 critical vulnerabilities, misconfigurations, and outdated services.
Each scan automatically updates your attack surface and provides an up-to-date map for planning targeted attacks or strategic lateral movements.
In a transparent benchmark, our tool outperformed the 6 most popular network scanners on the market, both open-source and commercial.
Explore a sample report which includes a vulnerability summary, automatically confirmed findings, evidence, and more.
FAQ
What is OpenSSH?
OpenSSH (OpenBSD Secure Shell) is a suite of secure networking utilities based on the Secure Shell (SSH) protocol. It provides encrypted communication sessions over a computer network.
What is the OpenSSH attack surface?
OpenSSH is widely used for its robustness, security features, and versatility, which make it a go-to for providing secure network services. It is commonly found in Unix-like operating systems, including Linux and BSD variants, and is also available for Windows.
Which are the OpenSSH versions vulnerable to RegreSSHion?
OpenSSH versions between 8.5p1 and 9.7p1, as well as versions prior to 4.4p1, are vulnerable to CVE-2024-6387 - under certain conditions.
This means that a remote attacker, without needing any authentication, can completely take over the vulnerable server.
Why are you offering a free OpenSSH vulnerability scanner for CVE-2024-6387?
Every day, we develop tools, detections, and exploits to help ethical hackers enhance organizational defenses.
We know the fight is unfair and rigged; security people follow strict rules, while threat actors do anything they want.
That's why our team dissects vulnerabilities and creates tools (sometimes free ones), so cybersecurity specialists can do good and counteract the damage criminals cause with their own methods.
Read more in our vulnerability research manifesto.