Blue Team - RegreSSHion (CVE-2024-6387)- OpenSSH Vulnerability
The Qualys team disclosed a security issue named ‘RegreSSHion’. This vulnerability allows unauthenticated remote code execution with root privileges and impacts approximately 14 million vulnerable OpenSSH instances.
Vulnerability:
- Sigma Handler Issue: If client fails to authenticate within LoginGraceTime (default is 120 seconds), sshd service SIGALRM handler calls asynchronously, invoking various functions not safe for signal contexts.
- Remote Code Execution: In this condition, it can be exploited for unauthorized RCE with root privileges due to async-unsafe calls within signal handler.
Impact: High
Affected Versions:
OpenSSH < 4.4p1 8.5p1 <= OpenSSH < 9.8p1
Open Source Intelligence:
Censys:
services.software.uniform_resource_identifier="cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*"
GetOdin:
services.product:"openssh" AND (services.version:"[=8.5 TO 9.8]" OR services.version:"4.4")
Shodan:
- Twitter - Shodan Hunt
- VirusTotal - Binaries
Offensive/Red Team:
Nuclie Template - Discovery:
id: CVE-2024-6387
info:
name: "RegreSSHion detect (based on software version)"
author: "UnaPibaGeek"
severity: "High"
description: "Regression (CVE-2024-6387) software version checker."
classification:
cve-id: "CVE-2024-6387"
metadata:
max-request: 2
vendor: "OpenSSH"
product: "OpenSSH"
tags: ["cve", "cve2024", "regresshion", "openssh", "ssh"]
tcp:
host: ""
port: ":22"
inputs:
- data: "SSH-2.0-OpenSSH_9.0\r\n"
matchers:
- type: "regex"
part: "body"
regex: "OpenSSH_(8\.[5-9]p?[12]?|9\.[0-7]p?[12]?|[0-3]\.[0-9]p?[12]?|4\.[0-3]p?[12]?)"
Vulnerability Identification - Internal:
POC:
Dirty Script - Uploaded VT:
BlueTeam:
Velociraptor - VQL Syntax:
Quick and dirty VQL to search for hosts potentially vulnerable to #OpenSSH #regreSSHion
```sql
// Use to filter hunt results from Linux.Debian.Packages or Linux.RHEL.Packages
// Clean up the version value to make reusable because Debian includes "1:" as a prefix in the version value
LET CleanVersion = strip(prefix="1:", string=Version)
SELECT Fqdn, CleanVersion AS Version,
if( condition=CleanVersion < "4.4p1", then="Yes",
else=if(condition=CleanVersion >= "4.4p1" AND CleanVersion < "8.5p1", then="No",
else=if(condition=CleanVersion >= "8.5p1" AND CleanVersion < "9.8p1", then="Potentially. Check for backported patch.", else="No"))) AS `Vulnerable?`
FROM source()
WHERE Package =~ "openssh-server"
```
Splunk:
Vulnerable Linux Servers Identification
index=unix source=package NAME= "*openssh*"
| rex field=VERSION "^1:(?<ssh_version>\d+\.\d+)"
| eval ssh_version_number = tonumber(ssh_version)
| eval vulnerable_ssh_version = if(ssh_version_number >= 8.5 AND ssh_version_number < 9.8, "Vulnerable SSH Version", "SSH Version not Vulnerable")
| stats count by NAME VENDOR ssh_version ssh_version_number VERSION vulnerable_ssh_version
Hunt if any Servers (SSHD) affected by Threat Actors (timeout based authentication log patterns.)
sourcetype=journald OR sourcetype=linux:auth OR TERM(sshd) OR TERM(ssh)
TERM(Timeout) TERM(authentication) "Timeout before authentication"
| timechart count by host
Sigma Rule:
Detect Suspicious Child Processes or Commands of SSH/SSHD - Attack Patterns/Behaviours
title: Detect Suspicious Child Processes or Commands of SSH/SSHD
id: da5fbf66-b903-48a5-b12e-4b80132d7e1a
description: Detects suspicious child processes of SSH/SSHD or commands executed by SSH/SSHD which may indicate potential abuse using commonly abused Linux attack tools or networking binaries.
status: experimental
author: David Burkett, @signalblur
references:
- https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
- https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server
tags:
- attack.t1190
logsource:
category: process_creation
product: linux
detection:
selection_process:
ParentImage:
- '/usr/bin/ssh'
- '/usr/sbin/sshd'
Image:
- '/usr/bin/curl'
- '/usr/bin/wget'
- '/usr/bin/nmap'
- '/usr/bin/nc'
- '/usr/bin/socat'
- '/usr/bin/nc.traditional'
- '/usr/bin/nc.openbsd'
- '/usr/bin/openssl'
- '/usr/bin/nc6'
- '/usr/bin/msfconsole'
selection_commandline:
ParentImage:
- '/usr/bin/ssh'
- '/usr/sbin/sshd'
CommandLine|contains:
- 'nmap'
- 'chisel'
- 'zenmap'
- 'xenmap'
- 'john'
- 'hydra'
- 'sqlmap'
- 'dirbuster'
- 'nikto'
- 'gobuster'
- 'feroxbuster'
- 'masscan'
- 'metasploit'
- 'empire'
condition: selection_process or selection_commandline
falsepositives:
- Expected administrative activity
- Regular user behavior with legitimate use cases
level: medium
OSQuery:
Detecting RegreSSHion CVE-2024-6387
SELECT 'DEB Package' AS PACKAGE_MANAGER, name, version, CAST(SUBSTR(version, 3, 3) AS FLOAT) AS float_version,
CASE
WHEN CAST(SUBSTR(version, 3, 3) AS FLOAT) < 4.4 THEN 'YES (Unless patched for CVE-2006-5051 and CVE-2008-4109)'
WHEN CAST(SUBSTR(version, 3, 3) AS FLOAT) >= 4.4 AND CAST(SUBSTR(version, 3, 3) AS FLOAT) < 8.5 THEN 'NOT Vulnerable'
WHEN CAST(SUBSTR(version, 3, 3) AS FLOAT) >= 8.5 AND CAST(SUBSTR(version, 3, 3) AS FLOAT) <= 9.7 THEN 'Potentially Vulnerable'
ELSE 'UNKNOWN'
END AS vulnerability_status
FROM
deb_packages
WHERE
source LIKE 'openssh' or name like 'openssh%'
UNION
SELECT 'RPM Package' AS PACKAGE_MANAGER, name, version, CAST(SUBSTR(version, 3, 3) AS FLOAT) AS float_version,
CASE
WHEN CAST(SUBSTR(version, 3, 3) AS FLOAT) < 4.4 THEN 'YES (Unless patched for CVE-2006-5051 and CVE-2008-4109)'
WHEN CAST(SUBSTR(version, 3, 3) AS FLOAT) >= 4.4 AND CAST(SUBSTR(version, 3, 3) AS FLOAT) < 8.5 THEN 'NOT Vulnerable'
WHEN CAST(SUBSTR(version, 3, 3) AS FLOAT) >= 8.5 AND CAST(SUBSTR(version, 3, 3) AS FLOAT) <= 9.7 THEN 'Potentially Vulnerable'
ELSE 'UNKNOWN'
END AS vulnerability_status
FROM
rpm_packages
WHERE
source LIKE 'openssh' or name like 'openssh%';
Mitigation Plans:
Patching:
- Update to OpenSSH version 9.8p1 (Latest Updated Versions)
Access Controls:
- Limit SSH access for only org IPs & deploy firewall rules. (Disable Publicly Exposed Services like SSHD etc.)
HIDS:
- Setup Fail2ban package - It helps to identify and block exploitation attempts.
- Monitor SSH Logs and block suspicious behaviour IPs.
Configuration - SSH - (ssh_config): LoginGraceTime:
- Set LoginGraceTime to 0 (Note: it stops the timeout for authentication attempts)
MaxStartups:
- MaxStartups 10:30:100
PerSourceMaxStartups
- PerSourceMaxStartups 5