OpenSSH vulnerability CVE-2024-6387
How to fix the OpenSSH vulnerability CVE-2024-6387?
Synopsis: CVE-2024-6387, known as regreSSHion, has been discovered in the OpenSSH server. This vulnerability allows remote unauthenticated attackers to execute arbitrary code on the target server, posing a significant threat to systems that use OpenSSH for secure communications.
RegreSSHion vulnerability affected OpenSSH versions:
- Versions before 4.4p1
- Versions 8.5p1 to 9.8p1
How to fix regreSSHion vulnerability?
Method 1: Upgrade OpenSSH version to 9.8 or above.
Check the current running openssh version:
root@server ~]# ssh -V
Method 2: The issue can be resolved by setting the LoginGraceTime parameter to 0 in the sshd configuration file.
2.a: Login to the server as root user and edit the sshd configuration file.
root@server ~]# vim /etc/ssh/sshd_config
LoginGraceTime 0
2.b: Syntax check the sshd configuration file before restarting the service.
root@server ~]# sshd -t
2.c: Restart sshd service to set the changes.
root@server ~]# systemctl restart sshd
Default OpenSSH version in different OS's:
Find the OpenSSH version by running the command (ssh -V) in different OS's
| Ubuntu 24 | OpenSSH_9.6p1 Ubuntu-3ubuntu13, OpenSSL 3.0.13 30 Jan 2024 |
| Ubuntu 22 | OpenSSH_8.9p1 Ubuntu-3ubuntu0.6, OpenSSL 3.0.2 15 Mar 2022 |
| Ubuntu 20 | OpenSSH 8.2p1 |
| Ubuntu 18 | OpenSSH 7.6p1 |
| RockyLinux 9 / RHEL 9 / AlmaLinux 9 | OpenSSH_8.7p1, OpenSSL 3.0.7 1 Nov 2022 |
| RockyLinux 8 / RHEL 8 / AlmaLinux 8 / CentOS 8 | OpenSSH_7.8p1, OpenSSL 1.1.1k FIPS 25 Mar 2021 |
| Debian 11 | OpenSSH 8.4 |
| Debian 10 | OpenSSH 7.9p1 |
| CentOS 7 | OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 |