{
  "threat_severity" : "Important",
  "public_date" : "2024-07-01T08:00:00Z",
  "bugzilla" : {
    "description" : "openssh: regreSSHion - race condition in SSH allows RCE/DoS",
    "id" : "2294604",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2294604"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-364",
  "details" : [ "A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.", "A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period." ],
  "statement" : "Red Hat rates the severity of this flaw as Important for both Red Hat Enterprise Linux (RHEL) and OpenShift Container Platform (OCP). The most significant risk is Remote Code Execution, however this outcome requires significant resources to exploit. If mitigations are put in place, the consequences of exploitation are reduced. An attacker would then only be able to impact availability of the OpenSSH service.\nThe main factor preventing a higher impact rating is an unpredictable race condition. All actively supported versions of RHEL (and by extension OCP) have ExecShield (aka ASLR) enabled by default and utilize NX technology, reducing reliability of the attack. Attackers are forced to retry the attack thousands of times. This generates significant noise providing defenders with an opportunity to detect and disrupt potential attacks.\nRHEL 9 is the only affected version. RHEL 6, 7, and 8 all utilize an older version of OpenSSH which was never affected by this vulnerability.\nThe affected versions of OCP are 4.13, 4.14, 4.15, and 4.16 as they include the affected version of OpenSSH in the underlying operating system Red Hat CoreOS (RHCOS). 4.12 and earlier versions of OCP are not affected.",
  "acknowledgement" : "Red Hat would like to thank Qualys Threat Research Unit (TRU) (Qualys) for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-07-03T00:00:00Z",
    "advisory" : "RHSA-2024:4312",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "openssh-0:8.7p1-38.el9_4.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-07-03T00:00:00Z",
    "advisory" : "RHSA-2024:4312",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "openssh-0:8.7p1-38.el9_4.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2024-07-08T00:00:00Z",
    "advisory" : "RHSA-2024:4389",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0",
    "package" : "openssh-0:8.7p1-12.el9_0.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2024-07-05T00:00:00Z",
    "advisory" : "RHSA-2024:4340",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2",
    "package" : "openssh-0:8.7p1-30.el9_2.4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.13",
    "release_date" : "2024-07-17T00:00:00Z",
    "advisory" : "RHSA-2024:4484",
    "cpe" : "cpe:/a:redhat:openshift:4.13::el9",
    "package" : "rhcos-413.92.202407091321-0"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.14",
    "release_date" : "2024-07-17T00:00:00Z",
    "advisory" : "RHSA-2024:4479",
    "cpe" : "cpe:/a:redhat:openshift:4.14::el9",
    "package" : "rhcos-414.92.202407091253-0"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.15",
    "release_date" : "2024-07-18T00:00:00Z",
    "advisory" : "RHSA-2024:4474",
    "cpe" : "cpe:/a:redhat:openshift:4.15::el9",
    "package" : "rhcos-415.92.202407091355-0"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.16",
    "release_date" : "2024-07-16T00:00:00Z",
    "advisory" : "RHSA-2024:4469",
    "cpe" : "cpe:/a:redhat:openshift:4.16::el9",
    "package" : "rhcos-416.94.202407081958-0"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Ceph Storage 5",
    "fix_state" : "Not affected",
    "package_name" : "openssh",
    "cpe" : "cpe:/a:redhat:ceph_storage:5"
  }, {
    "product_name" : "Red Hat Ceph Storage 6",
    "fix_state" : "Not affected",
    "package_name" : "openssh",
    "cpe" : "cpe:/a:redhat:ceph_storage:6"
  }, {
    "product_name" : "Red Hat Ceph Storage 7",
    "fix_state" : "Not affected",
    "package_name" : "openssh",
    "cpe" : "cpe:/a:redhat:ceph_storage:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "openssh",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "openssh",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "openssh",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "openssh",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-6387\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-6387\nhttps://santandersecurityresearch.github.io/blog/sshing_the_masses.html\nhttps://www.openssh.com/txt/release-9.8\nhttps://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt" ],
  "csaw" : true,
  "name" : "CVE-2024-6387",
  "mitigation" : {
    "value" : "The below process can protect against a Remote Code Execution attack by disabling the LoginGraceTime parameter on Red Hat Enterprise Linux 9. However, the sshd server is still vulnerable to a Denial of Service if an attacker exhausts all the connections.\n1) As root user, open the /etc/ssh/sshd_config\n2) Add or edit the parameter configuration:\n~~~\nLoginGraceTime 0\n~~~\n3) Save and close the file\n4) Restart the sshd daemon:\n~~~\nsystemctl restart sshd.service\n~~~\nSetting LoginGraceTime to 0 disables the SSHD server's ability to drop connections if authentication is not completed within the specified timeout. If this mitigation is implemented, it is highly recommended to use a tool like 'fail2ban' alongside a firewall to monitor log files and manage connections appropriately.\nIf any of the mitigations mentioned above is used, please note that the removal of LoginGraceTime parameter from sshd_config is not automatic when the updated package is installed.",
    "lang" : "en:us"
  }
}