Vulnerability in OpenSSH could allow remote code execution


MS-ISAC NOTICE NUMBER:

2024-076

PUBLICATION DATES:

01/07/2024

PREVIEW:

A vulnerability has been discovered in OpenSSH that could allow remote code execution. OpenSSH is a suite of secure network utilities based on the SSH protocol and is essential for secure communication over unsecured networks. It is widely used in enterprise environments for remote server management, secure file transfers, and various DevOps practices. Successful exploitation of this vulnerability could allow remote code execution in the context of the administrator account. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights.

THREAT INFORMATION:

There are no reports of this vulnerability being exploited in the wild.

AFFECTED SYSTEMS:

  • OpenSSH versions earlier than 4.4p1 (unless patched for CVE-2006-5051 and CVE-2008-4109)
  • OpenSSH versions 8.5p1 up to, but not including, 9.8p1

RISK:

Government:

Large and medium government entitiesHIGH

Small governmentMEDIUM

Companies:

Large and medium business entitiesHIGH

Small business entitiesMEDIUM

TECHNICAL SUMMARY:

A vulnerability has been discovered in OpenSSH that could allow remote code execution. Details of the ilncude vulnerability:

Tactical: Initial access (TA0001):

Technical: Exploit a public application (T1190):

  • A race condition vulnerability exists in sshd(8) that could allow unauthenticated remote code execution on the OpenSSH server (sshd) that grants full root access. It affects the default configuration and does not require user interaction. It poses a significant risk of exploitation. (CVE-2024-6387)

RECOMMENDATIONS:

We recommend taking the following measures:

  • Apply appropriate updates provided by OpenSSH to vulnerable systems immediately after appropriate testing.M1051:Software Update)
    • Safeguard 7.1: Establish and maintain a vulnerability management process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually or when significant changes in the business may impact this safeguard.
    • Safeguard 7.4: Perform automated application patch management: Perform application updates on enterprise assets with automated patch management on a monthly or more frequent basis.
    • Safeguard 7.6: Perform automated vulnerability scans of externally exposed enterprise assets: Perform automated vulnerability scans of externally exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly or more frequent basis.
    • Backup 7.7: Address detected vulnerabilities: Remediate vulnerabilities detected in software through processes and tools on a monthly or more frequent basis, depending on the remediation process.
  • Apply the principle of least privilege to all systems and services. Run all software as an unprivileged user (without administrative privileges) to reduce the effects of a successful attack.M1026:Management of privileged accounts)
    • Safeguard 4.7: Manage default accounts on company assets and software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Implementation examples may include: disabling default accounts or preventing them from being used.
    • Safeguard 5.4: Restrict administrator privileges to dedicated administrator accounts: Limit administrator privileges to dedicated administrator accounts on company assets. Perform general computing activities, such as Internet browsing, email, and productivity suite use, from users' primary, non-privileged accounts.
  • Prevent access to file shares, remote access to systems, unnecessary services. Access limitation mechanisms may include the use of network hubs, RDP gateways, etc. (M1035:Limit access to resources on the network)
  • Use intrusion detection signatures to block traffic at network boundaries.M1031: Network intrusion prevention)
    • Protective measure 13.3: Deploy a network intrusion detection solution: Deploy a network intrusion detection solution on enterprise assets, if applicable. Examples of implementation include using a network intrusion detection system (NIDS) or equivalent cloud service provider (CSP) service.
    • Safeguard 13.8: Deploy a network intrusion prevention solution: Deploy a network intrusion prevention solution, if applicable. Examples of implementation include using a Network Intrusion Prevention System (NIPS) or equivalent CSP service.
  • Use features to detect and block conditions that may lead to or indicate that software exploitation is occurring.M1050:Exploit Protection)
    • Backup 13.10: Performing Application Layer Filtering: Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.
Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

Related News

Trimble publishes security updates to tackle vulnerability in CityWorks softwareTrimble publishes security updates to tackle vulnerability in CityWorks software

Trimble publishes security updates to tackle vulnerability in CityWorks software

February 7, 2025
Several vulnerabilities in Google Android OS could allow a climbing of privilegesSeveral vulnerabilities in Google Android OS could allow a climbing of privileges

Several vulnerabilities in Google Android OS could allow a climbing of privileges

February 4, 2025

You may have missed

Trimble publishes security updates to tackle vulnerability in CityWorks softwareTrimble publishes security updates to tackle vulnerability in CityWorks software

Trimble publishes security updates to tackle vulnerability in CityWorks software

February 7, 2025
Several vulnerabilities in Google Android OS could allow a climbing of privilegesSeveral vulnerabilities in Google Android OS could allow a climbing of privileges

Several vulnerabilities in Google Android OS could allow a climbing of privileges

February 4, 2025
Cisa adds an exploited vulnerability known in the catalogCisa adds an exploited vulnerability known in the catalog

Cisa adds an exploited vulnerability known in the catalog

January 29, 2025
Oracle Quarterly Critical Patches Released January 21, 2025Oracle Quarterly Critical Patches Released January 21, 2025

Oracle Quarterly Critical Patches Released January 21, 2025

January 21, 2025
CISA and FBI Issue Updated Guidance on Product Security Bad PracticesCISA and FBI Issue Updated Guidance on Product Security Bad Practices

CISA and FBI Issue Updated Guidance on Product Security Bad Practices

January 17, 2025
Threat Actors Chained Vulnerabilities in Ivanti Cloud Service ApplicationsThreat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications

Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications

January 15, 2025