CVE-2024-6387

CVE-2024-6387

CVE-2024-6387

First OpenSSH vulnerability in nearly two decades that grants full root access

First OpenSSH vulnerability in nearly two decades that grants full root access

First OpenSSH vulnerability in nearly two decades that grants full root access

Problem
Problem
Problem

A major security vulnerability has been found in OpenSSH, potentially leading to remote code execution as the root user on glibc-based Linux systems. It is being referred to as regreSSHion (CVE-2024-6387). This flaw affects versions 8.5p1 to 9.7p1 due to a signal handler race condition in sshd, and it has been identified in 14 million instances.

A major security vulnerability has been found in OpenSSH, potentially leading to remote code execution as the root user on glibc-based Linux systems. It is being referred to as regreSSHion (CVE-2024-6387). This flaw affects versions 8.5p1 to 9.7p1 due to a signal handler race condition in sshd, and it has been identified in 14 million instances.

Description
Description
Description

The Qualys Threat Research Unit (TRU) found a serious security flaw in OpenSSH's server on glibc-based Linux systems. This unauthenticated Remote Code Execution (RCE) vulnerability can give attackers full root access and affects the default configuration without needing user interaction. It's a regression of a previously fixed issue (CVE-2006-5051) and was reintroduced in OpenSSH 8.5p1 in October 2020.

The Qualys Threat Research Unit (TRU) found a serious security flaw in OpenSSH's server on glibc-based Linux systems. This unauthenticated Remote Code Execution (RCE) vulnerability can give attackers full root access and affects the default configuration without needing user interaction. It's a regression of a previously fixed issue (CVE-2006-5051) and was reintroduced in OpenSSH 8.5p1 in October 2020.

Affected OpenSSH Versions
  • Versions Earlier than 4.4p1: OpenSSH versions earlier than 4.4p1 are vulnerable to this signal handler race condition unless they have been patched for CVE-2006-5051 and CVE-2008-4109.

  • Versions 4.4p1 to 8.4p1: Versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable due to a transformative patch for CVE-2006-5051, which made a previously unsafe function secure.

  • Versions 8.5p1 to 9.7p1: The vulnerability resurfaces in versions from 8.5p1 up to, but not including, 9.8p1 due to the accidental removal of a critical component in a function.

Detection

This script enables rapid scanning of multiple IP addresses, domain names, and CIDR network ranges to detect potential vulnerabilities and ensure the security of your infrastructure.


Save this below code file as CVE-2024-6387_Check.py

Usage
Usage
Usage
Running script for individual IP address
Running script for individual IP address
Running script for individual IP address
Examples
Examples
Examples
Single IP
Single IP
Single IP
Running script for multiple IPs
Running script for multiple IPs
Running script for multiple IPs
Running script for multiple IPs and domains
Running script for multiple IPs and domains
Running script for multiple IPs and domains
Running script for CIDR range
Running script for CIDR range
Running script for CIDR range
Running script with custom port
Running script with custom port
Running script with custom port
What all it will check
What all it will check
What all it will check
  • Rapid Scanning: Quickly scan multiple IP addresses, domain names, and CIDR ranges for the CVE-2024-6387 vulnerability.

  • Banner Retrieval: Efficiently retrieves SSH banners without authentication.

  • Multi-threading: Uses threading for concurrent checks, significantly reducing scan times.

  • Detailed Output: Provides clear, emoji-coded output summarizing scan results.

  • Port Check: Identifies closed ports and provides a summary of non-responsive hosts.

  • Rapid Scanning: Quickly scan multiple IP addresses, domain names, and CIDR ranges for the CVE-2024-6387 vulnerability.

  • Banner Retrieval: Efficiently retrieves SSH banners without authentication.

  • Multi-threading: Uses threading for concurrent checks, significantly reducing scan times.

  • Detailed Output: Provides clear, emoji-coded output summarizing scan results.

  • Port Check: Identifies closed ports and provides a summary of non-responsive hosts.

Scan Results
Scan Results
Scan Results

The script will provide a summary of the scanned targets:

🚨 Vulnerable: Servers running a vulnerable version of OpenSSH.

🛡️ Not Vulnerable: Servers running a non-vulnerable version of OpenSSH.

🔒 Closed Ports: Count of servers with port 22 (or specified port) closed.

📊 Total Scanned: Total number of targets scanned.

The script will provide a summary of the scanned targets:

🚨 Vulnerable: Servers running a vulnerable version of OpenSSH.

🛡️ Not Vulnerable: Servers running a non-vulnerable version of OpenSSH.

🔒 Closed Ports: Count of servers with port 22 (or specified port) closed.

📊 Total Scanned: Total number of targets scanned.

Sample Output

Sample Output

Credit
Credit
Credit

Credits to Alexander Hagenah, Cybersecurity Leader, for rapidly developing the detection script for the CVE-2024-6387 vulnerability. With over two decades of experience in cybersecurity, he has evolved from an ethical hacker to an international cybersecurity strategist.

Credits to Alexander Hagenah, Cybersecurity Leader, for rapidly developing the detection script for the CVE-2024-6387 vulnerability. With over two decades of experience in cybersecurity, he has evolved from an ethical hacker to an international cybersecurity strategist.

https://primepage.de/

https://primepage.de/

Made with Love at San Francisco

355 Bryant St. San Francisco, CA 94107, USA

Copyright © 2024 CodeAnt AI.

All rights reserved.