07-07-25, 11:29 PM
Hey everyone,
Just wanted to drop a quick technical rundown on CVE-2024-6387, a super serious vuln hitting OpenSSH from version 8.5p1 up to 9.7p1. It’s basically a race condition in the sshd daemon that lets attackers run code remotely without even logging in.
Just wanted to drop a quick technical rundown on CVE-2024-6387, a super serious vuln hitting OpenSSH from version 8.5p1 up to 9.7p1. It’s basically a race condition in the sshd daemon that lets attackers run code remotely without even logging in.
What’s the vuln about?
There’s a race condition in how sshd handles signals during the initial connection phase, before you even authenticate.
Funny thing is, this bug is kinda a comeback of a similar one patched back in 2006 (CVE-2006-5051) — hence the name “regreSSHion.”
Attackers can send a bunch of specially crafted packets to exploit this race and run arbitrary code as root.
Funny thing is, this bug is kinda a comeback of a similar one patched back in 2006 (CVE-2006-5051) — hence the name “regreSSHion.”
Attackers can send a bunch of specially crafted packets to exploit this race and run arbitrary code as root.
Affected systems
OpenSSH versions 8.5p1 to 9.7p1 inclusive
Linux with glibc (version < 2.36) like Debian 11/12, Ubuntu 22.04, RHEL 8/9, Kali Linux, and lots of Docker containers based on those
Doesn’t affect systems without glibc like Alpine Linux
Impact
Remote code execution with no auth needed
Public PoC available on GitHub and Metasploit
Super risky for servers open to the internet, especially if no firewall or IDS/IPS is set up
Attacker gets full root privileges
Extra resources
Qualys advisory: https://www.qualys.com/2024/07/01/cve-20...4-6387.txt
PoC GitHub: https://github.com/razzorsec/CVE-2024-6387
Metasploit module (WIP)
Hope this quick summary helps anyone working with OpenSSH servers. If you want, I can break down the PoC or do a line-by-line exploit analysis — just say the word.
