Security Advisory: OpenSSH Arbitrary Code Execution Vulnerability (CVE-2024-6387)

  • Tuesday, 2nd July, 2024
  • 04:15am

Vulnerability Information

This vulnerability is caused by a signal handler race condition in the OpenSSH service (sshd). An unauthenticated attacker can exploit this vulnerability to execute arbitrary code with root privileges on Linux systems.

A proof-of-concept (POC) for this vulnerability has been publicly released. The vulnerability is highly dangerous and has a wide impact. Users are urged to update their OpenSSH package to a non-vulnerable version as soon as possible and take protective measures.

===

Vulnerability Number: CVE-2024-6387

Affected Versions: 8.5p1 <= OpenSSH < 9.8p1

Official Patch: https://www.openssh.com/releasenotes.html

===

Debian & Ubuntu Distribution Security Updates and Announcements

Debian: https://security-tracker.debian.org/tracker/CVE-2024-6387

Ubuntu: https://ubuntu.com/security/CVE-2024-6387

===

Check Script

https://github.com/tw-yuan/CVE-2024-6387_Check

===

Remediation (Debian)

This vulnerability primarily affects Debian systems. Users can verify and update their systems using the following steps to ensure they are using a patched version of the software.

Checking the Version

First, use sshd -v command to check the current OpenSSH version.

If the output is OpenSSH_9.2p1 Debian-2+deb12u3 or Debian-5+deb11u3 (note that the end is u3), then you are using a patched version.

If it is u2 or another affected version, please follow the steps below to update the software version to fix the vulnerability.

Updating the Package Version

First, check if the following package update source is in /etc/apt/sources.list. If it is not, add it.

deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware

deb-src http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware

Once you have it, enter apt update && apt install --only-upgrade openssh-client openssh-server openssh-sftp-server -y to update the system packages.

Finally, use sshd -v again to confirm that you are using a patched version.

 

Remediation (Ubuntu)

Users can verify and update their systems using the following steps to ensure they are using a patched version of the software.

Checking the Version

First, use sshd -v command to check the current OpenSSH version.

If the output is in fellow list, then you are using a patched version.

No vulnerable versions:

  • OpenSSH_8.9p1 Ubuntu-3ubuntu0.10
  • OpenSSH_9.3p1 Ubuntu-3ubuntu3.6
  • OpenSSH_9.3p1 Ubuntu-1ubuntu3.6
  • OpenSSH_9.6p1 Ubuntu-3ubuntu13.3

If it is another affected version, please follow the steps below to update the software version to fix the vulnerability.

Updating the Package Version

Enter apt update && apt install --only-upgrade openssh-client openssh-server openssh-sftp-server -y to update the system packages.

Then use sshd -v again to confirm that you are using a patched version.

Additional Notes

* Users of other Linux distributions should consult their distribution's documentation for instructions on how to update their OpenSSH packages.

* It is important to note that even after updating OpenSSH, it is still important to follow good security practices, such as using strong passwords and enabling two-factor authentication.

« Back