First posted on Tuesday, 2 July 2024 at 9:15 am
Last updated on Wednesday, 3 July 2024 at 10:45 am
This advisory is provided as a courtesy.
We want to bring to your attention a newly discovered vulnerability affecting major Linux OS distributions, including Ubuntu (certain releases). The vulnerability affects OpenSSH, a widely used connectivity tool to access Linux servers and perform secure file transfer remotely.
Specifically, the vulnerability affects the signal handler race condition in the OpenSSH server, allowing unauthenticated remote code execution as root on glibc-based Linux systems. This vulnerability affects OpenSSH version 8.5p1 up to 9.7p1, and the latest available update for OpenSSH server: version 9.8p1, fixes the vulnerability.
Some major distributions such as Ubuntu release the patched version of OpenSSH even though they have not upgraded to the 9.8p1 version.
Below are the patched versions of OpenSSH for Ubuntu operating systems that were released:
https://ubuntu.com/security/CVE-2024-6387
Ubuntu 14.04 (Trusty) - not vulnerable
Ubuntu 16.04 (Xenial) - not vulnerable
Ubuntu 18.04 (Bionic) - not vulnerable
Ubuntu 20.04 (Focal) - not vulnerable
Ubuntu 22.04 (Jammy) - patched on 1:8.9p1-3ubuntu0.10 version
Ubuntu 23.10.1 (Mantic) - patched on 1:9.3p1-1ubuntu3.6 version
Ubuntu 24.04 (Noble) - patched on 1:9.6p1-3ubuntu13.3 version
This vulnerability has been assigned CVE ID: CVE-2024-6387.
Affected Software
Most major Linux distributions such as Ubuntu (certain releases) and AlmaLinux are affected. Note that Windows servers might also affected if the OpenSSH for Windows application is installed.
How to Fix the Problem
For the Ubuntu operating system, you may refer to the above list or the below website to confirm if your Ubuntu release is affected, and if it is, which OpenSSH version fixes the problem.
https://ubuntu.com/security/CVE-2024-6387
To check the version of the OpenSSH installed on your Ubuntu release, use the below command:
apt-cache policy openssh-server
apt-cache policy openssh-client
Note that only OpenSSH versions 8.5p1 up to 9.7p1 are affected. The earlier OpenSSH versions before 8.5p1 are not affected.
If your Ubuntu release is affected and the installed OpenSSH version is still lower than the fix, you may run the command to install the latest patches to mitigate the vulnerability.
On Ubuntu systems:
apt update
apt upgrade (to install all patches); or
apt install openssh-server openssh-client (to install only the fixed version of OpenSSH)
On AlmaLinux systems:
yum update
Note: The patches might not be available for older distributions and operating systems that are already EOL (end-of-life) and no longer supported, such as CentOS systems. For this one, you need to upgrade to supported operating systems. Alternatively, you may wish to try compiling and installing the latest version of OpenSSH manually, but note that this is not supported and may break your system.
Workaround
If you are not able to update your OpenSSH, you might want to consider limiting your server's SSH access to certain IP addresses, and also change the SSH port number from the default port 22 to another higher random port number.
More Information
regreSSHion: Remote Unauthenticated Code Execution Vulnerability in OpenSSH server
700,000 OpenSSH servers vulnerable to remote code execution CVE
From the Ubuntu Security Team - CVE-2024-6387
Request Assistance
If you are running vulnerable Linux distributions and need our assistance to patch it up or to perform the workaround, we can do it for you at a one-time discounted fee of $30. Please submit your order at Order -> Additional Services -> Vulnerability Fix - Linux: OpenSSH regreSSHion Vulnerability - $30.
Note: This service is only applicable for supported operating systems in which the latest OpenSSH patch is already out. Please check with us first by opening a ticket before ordering this service.
Alternatively, please first open a support ticket and give us the hostname, IP address and OS template. You can find this information on your servelet's control panel.
For example:
Hostname: yourservelethostname
IP Address: 103.25.202.81
OS Template: Ubuntu 22.04 LTS (64-bit)
Thank you.
??
English
Bahasa Indonesia
???
Espanol