CVE-2006-5051
published 2006-09-27CVE-2006-5051: Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI…
PriorityP348high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
44.96%
98.6th percentile
Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free.
Affected
122 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| almalinux | almalinux | — | — |
| amazon | amazon_linux | — | — |
| apple | mac_os_x | < 10.3.9 | 10.3.9 |
| apple | mac_os_x | 10.4 – 10.4.8 | — |
| apple | mac_os_x_server | < 10.3.9 | 10.3.9 |
| apple | mac_os_x_server | 10.4 – 10.4.8 | — |
| apple | macos | >= 12.0 < 12.7.6 | 12.7.6 |
| apple | macos | >= 13.0 < 13.6.8 | 13.6.8 |
| apple | macos | >= 14.0 < 14.6 | 14.6 |
| arista | eos | 4.32.0 – 4.32.1f | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | openssh | < openssh 1:4.6p1-1 (bookworm) | openssh 1:4.6p1-1 (bookworm) |
| debian | openssh | < openssh 1:9.2p1-2+deb12u3 (bookworm) | openssh 1:9.2p1-2+deb12u3 (bookworm) |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | >= 13.3-RELEASE < p5 | p5 |
| freebsd | freebsd | >= 14.0-RELEASE < p9 | p9 |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv8.1HIGH
vulncheck8.1HIGH
vendor_debian8.1LOW
vendor_redhat8.1HIGH
vendor_ubuntu7.8HIGH
vendor_cisco3.1
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Siemens SIMATIC S7-1500 CPU Family
cisa_ics·2025-06-12
Siemens SIMATIC S7-1500 CPU Family
ICS Advisory
##
Siemens SIMATIC S7-1500 CPU Family
Release DateJune 12, 2025
Alert CodeICSA-25-162-05
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 8.7
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: SIMATIC S7-1500 CPU family
- Vulnerabilities: Missing Encryption of Sensitive Data, Out-of-bounds Read, Use After Free, Stack-
CISA ICS
Siemens Industrial Products
cisa_ics·2024-09-12·CVSS 8.1
[HIGH] Siemens Industrial Products
ICS Advisory
##
Siemens Industrial Products
Release DateSeptember 12, 2024
Alert CodeICSA-24-256-15
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 8.1
- ATTENTION: Exploitable remotely
- Vendor: Siemens
- Equipment: Industrial Edge Management OS (IEM-OS), SINEMA Remote Connect Server, SINUMERIK ONE
- Vulnerability: Signal Handler Race Condition
## 2. RISK EVALUAT
BSD
FreeBSD-SA-24:08.openssh: OpenSSH pre-authentication async signal safety issue
bsd_advisories·2024-08-07·CVSS 8.1
CVE-2006-5051 [HIGH] FreeBSD-SA-24:08.openssh: OpenSSH pre-authentication async signal safety issue
FreeBSD-SA-24:08.openssh Security Advisory
The FreeBSD Project
Topic: OpenSSH pre-authentication async signal safety issue
Category: contrib
Module: openssh
Announced: 2024-08-07
Affects: All supported versions of FreeBSD.
Corrected: 2024-08-06 19:43:54 UTC (stable/14, 14.1-STABLE)
2024-08-07 13:44:26 UTC (releng/14.1, 14.1-RELEASE-p3)
2024-08-07 13:44:40 UTC (releng/14.0, 14.0-RELEASE-p9)
2024-08-06 19:46:19 UTC (stable/13, 13.3-STABLE)
2024-08-07 13:44:58 UTC (releng/13.3, 13.3-RELEASE-p5)
CVE Name: CVE-2024-7589
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
OpenSSH is an implementation of the SSH protocol suite, providing an
encrypted and authenti
BSD
FreeBSD-SA-24:04.openssh: OpenSSH pre-authentication remote code execution
bsd_advisories·2024-07-01·CVSS 8.1
CVE-2006-5051 [HIGH] FreeBSD-SA-24:04.openssh: OpenSSH pre-authentication remote code execution
FreeBSD-SA-24:04.openssh Security Advisory
The FreeBSD Project
Topic: OpenSSH pre-authentication remote code execution
Category: contrib
Module: openssh
Announced: 2024-07-01
Credits: Qualys Threat Research Unit (TRU)
Affects: All supported versions of FreeBSD.
Corrected: 2024-07-01 08:22:13 UTC (stable/14, 14.1-STABLE)
2024-07-01 08:24:48 UTC (releng/14.1, 14.1-RELEASE-p2)
2024-07-01 08:26:05 UTC (releng/14.0, 14.0-RELEASE-p8)
2024-07-01 08:23:16 UTC (stable/13, 13.3-STABLE)
2024-07-01 08:27:10 UTC (releng/13.3, 13.3-RELEASE-p4)
2024-07-01 08:27:53 UTC (releng/13.2, 13.2-RELEASE-p12)
CVE Name: CVE-2024-6387
Note: Due to the fact this advisory is being released the day after
13.2-RELEASE is going out of support, the Security Team has decided to
include 13.2-RELEASE in the response for t
Red Hat
openssh: regreSSHion - race condition in SSH allows RCE/DoS
vendor_redhat·2024-07-01·CVSS 8.1
CVE-2024-6387 [HIGH] CWE-364 openssh: regreSSHion - race condition in SSH allows RCE/DoS
openssh: regreSSHion - race condition in SSH allows RCE/DoS
A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.
A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.
Statement: Red Hat rates the severity of this flaw as Important for both Red Hat Enterprise Linux (RHEL) and OpenShift Container Platform (OCP). The most significant
Debian
CVE-2024-6387: openssh - A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd)....
vendor_debian·2024·CVSS 8.1
CVE-2024-6387 [HIGH] CVE-2024-6387: openssh - A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd)....
A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.
Scope: local
bookworm: resolved (fixed in 1:9.2p1-2+deb12u3)
bullseye: resolved
forky: resolved (fixed in 1:9.7p1-7)
sid: resolved (fixed in 1:9.7p1-7)
trixie: resolved (fixed in 1:9.7p1-7)
Debian
CVE-2008-4109: openssh - A certain Debian patch for OpenSSH before 4.3p2-9etch3 on etch; before 4.6p1-1 o...
vendor_debian·2008·CVSS 8.1
CVE-2008-4109 [HIGH] CVE-2008-4109: openssh - A certain Debian patch for OpenSSH before 4.3p2-9etch3 on etch; before 4.6p1-1 o...
A certain Debian patch for OpenSSH before 4.3p2-9etch3 on etch; before 4.6p1-1 on sid and lenny; and on other distributions such as SUSE uses functions that are not async-signal-safe in the signal handler for login timeouts, which allows remote attackers to cause a denial of service (connection slot exhaustion) via multiple login attempts. NOTE: this issue exists because of an incorrect fix for CVE-2006-5051.
Scope: local
bookworm: resolved (fixed in 1:4.6p1-1)
bullseye: resolved (fixed in 1:4.6p1-1)
forky: resolved (fixed in 1:4.6p1-1)
sid: resolved (fixed in 1:4.6p1-1)
trixie: resolved (fixed in 1:4.6p1-1)
Ubuntu
openssh vulnerabilities
vendor_ubuntu·2006-10-02·CVSS 7.8
CVE-2006-4924 [HIGH] openssh vulnerabilities
Title: openssh vulnerabilities
Summary: openssh vulnerabilities
Tavis Ormandy discovered that the SSH daemon did not properly handle
authentication packets with duplicated blocks. By sending specially
crafted packets, a remote attacker could exploit this to cause the ssh
daemon to drain all available CPU resources until the login grace time
expired. (CVE-2006-4924)
Mark Dowd discovered a race condition in the server's signal handling.
A remote attacker could exploit this to crash the server.
(CVE-2006-5051)
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
BSD
FreeBSD-SA-06:22.openssh: Multiple vulnerabilities in OpenSSH
bsd_advisories·2006-09-30·CVSS 7.8
CVE-2006-4924 [HIGH] FreeBSD-SA-06:22.openssh: Multiple vulnerabilities in OpenSSH
FreeBSD-SA-06:22.openssh Security Advisory
The FreeBSD Project
Topic: Multiple vulnerabilities in OpenSSH
Category: contrib
Module: openssh
Announced: 2006-09-30
Credits: Tavis Ormandy, Mark Dowd
Affects: All FreeBSD releases.
Corrected: 2006-09-30 19:50:57 UTC (RELENG_6, 6.2-PRERELEASE)
2006-09-30 19:51:56 UTC (RELENG_6_1, 6.1-RELEASE-p10)
2006-09-30 19:53:21 UTC (RELENG_6_0, 6.0-RELEASE-p15)
2006-09-30 19:54:03 UTC (RELENG_5, 5.5-STABLE)
2006-09-30 19:54:58 UTC (RELENG_5_5, 5.5-RELEASE-p8)
2006-09-30 19:55:52 UTC (RELENG_5_4, 5.4-RELEASE-p22)
2006-09-30 19:56:38 UTC (RELENG_5_3, 5.3-RELEASE-p37)
2006-09-30 19:57:15 UTC (RELENG_4, 4.11-STABLE)
2006-09-30 19:58:07 UTC (RELENG_4_11, 4.11-RELEASE-p25)
CVE Name: CVE-2006-4924, CVE-2006-5051
For general information regarding FreeBSD Securit
Red Hat
unsafe GSSAPI signal handler
vendor_redhat·2006-09-28·CVSS 8.1
CVE-2006-5051 [HIGH] unsafe GSSAPI signal handler
unsafe GSSAPI signal handler
Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free.
Statement: Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
Debian
CVE-2006-5051: openssh - Signal handler race condition in OpenSSH before 4.4 allows remote attackers to c...
vendor_debian·2006·CVSS 8.1
CVE-2006-5051 [HIGH] CVE-2006-5051: openssh - Signal handler race condition in OpenSSH before 4.4 allows remote attackers to c...
Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free.
Scope: local
bookworm: resolved (fixed in 1:4.6p1-1)
bullseye: resolved (fixed in 1:4.6p1-1)
forky: resolved (fixed in 1:4.6p1-1)
sid: resolved (fixed in 1:4.6p1-1)
trixie: resolved (fixed in 1:4.6p1-1)
Red Hat
CVE-2008-4109: A certain Debian patch for OpenSSH before 4
vendor_redhat·CVSS 8.1
CVE-2008-4109 [HIGH] CVE-2008-4109: A certain Debian patch for OpenSSH before 4
A certain Debian patch for OpenSSH before 4.3p2-9etch3 on etch; before 4.6p1-1 on sid and lenny; and on other distributions such as SUSE uses functions that are not async-signal-safe in the signal handler for login timeouts, which allows remote attackers to cause a denial of service (connection slot exhaustion) via multiple login attempts. NOTE: this issue exists because of an incorrect fix for CVE-2006-5051.
Statement: Not vulnerable. The patch used to fix CVE-2006-5051 in Red Hat Enterprise Linux 2.1, 3, 4, and 5 was complete and does not suffer from this problem.
Cisco
Remote Unauthenticated Code Execution Vulnerability in OpenSSH Server (regreSSHion): July 2024
vendor_cisco·CVSS 3.1
CVE-2006-5051 Remote Unauthenticated Code Execution Vulnerability in OpenSSH Server (regreSSHion): July 2024
CVE-2006-5051: Remote Unauthenticated Code Execution Vulnerability in OpenSSH Server (regreSSHion): July 2024
On July 1, 2024, the Qualys Threat Research Unit (TRU) disclosed an unauthenticated, remote code execution vulnerability that affects the OpenSSH server (sshd) in glibc-based Linux systems. CVE-2024-6387: A signal handler race condition was found in sshd, where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then the sshd SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). For a description of this vulnerability, see the Qualys Security Advisory . This advisory is available at the following link: https://sec.cloudapps.cisco.co
OSV
CVE-2024-6387: A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd)
osv·2024-07-01·CVSS 8.1
CVE-2024-6387 [HIGH] CVE-2024-6387: A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd)
A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.
VulnCheck
SonicWall sma_6200_firmware Signal Handler Race Condition
vulncheck·2024·CVSS 8.1
CVE-2024-6387 [HIGH] SonicWall sma_6200_firmware Signal Handler Race Condition
SonicWall sma_6200_firmware Signal Handler Race Condition
A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.
Affected: SonicWall sma_6200_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cadosecurity.com/blog/warpscan-cloudflare-warp-abused-to-hijack-cloud-services-blog; https://content.kaspersky-labs.com/fm/site-editor/33/3318ec849851138088d24f26d236f469/source/irreport.pdf; https://app.crowdsec.net/cti/
GHSA
GHSA-mq5h-r3rg-j9hg: Signal handler race condition in OpenSSH before 4
ghsa_unreviewed·2022-05-03
CVE-2006-5051 [HIGH] CWE-362 GHSA-mq5h-r3rg-j9hg: Signal handler race condition in OpenSSH before 4
Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free.
GHSA
GHSA-6wrv-35h9-3pj7: A certain Debian patch for OpenSSH before 4
ghsa_unreviewed·2022-05-02·CVSS 8.1
CVE-2008-4109 [HIGH] GHSA-6wrv-35h9-3pj7: A certain Debian patch for OpenSSH before 4
A certain Debian patch for OpenSSH before 4.3p2-9etch3 on etch; before 4.6p1-1 on sid and lenny; and on other distributions such as SUSE uses functions that are not async-signal-safe in the signal handler for login timeouts, which allows remote attackers to cause a denial of service (connection slot exhaustion) via multiple login attempts. NOTE: this issue exists because of an incorrect fix for CVE-2006-5051.
OSV
CVE-2008-4109: A certain Debian patch for OpenSSH before 4
osv·2008-09-18·CVSS 8.1
CVE-2008-4109 [HIGH] CVE-2008-4109: A certain Debian patch for OpenSSH before 4
A certain Debian patch for OpenSSH before 4.3p2-9etch3 on etch; before 4.6p1-1 on sid and lenny; and on other distributions such as SUSE uses functions that are not async-signal-safe in the signal handler for login timeouts, which allows remote attackers to cause a denial of service (connection slot exhaustion) via multiple login attempts. NOTE: this issue exists because of an incorrect fix for CVE-2006-5051.
OSV
CVE-2006-5051: Signal handler race condition in OpenSSH before 4
osv·2006-09-27·CVSS 8.1
CVE-2006-5051 [HIGH] CVE-2006-5051: Signal handler race condition in OpenSSH before 4
Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free.
No detection rules found.
No public exploits indexed.
Zscaler
CVE-2024-6387 & CVE-2024-6409 | ThreatLabz
blogs_zscaler·2024-08-05·CVSS 8.1
[HIGH] CVE-2024-6387 & CVE-2024-6409 | ThreatLabz
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Checkpoint
8th July – Threat Intelligence Report
blogs_checkpoint·2024-07-08
CVE-2024-6387 8th July – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 8th July – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 8th July, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
FIA, the governing body for Formula 1, disclosed a data breach stemming from a phishing attack on their email accounts. The attack led to unauthorized access to personal data, and the incident has been reported to relevant data protection regulators. FIA is taking steps to bolster security and has initiated protective measures fo
Tenable
How the regreSSHion Vulnerability Could Impact Your Cloud Environment
blogs_tenable·2024-07-05
How the regreSSHion Vulnerability Could Impact Your Cloud Environment
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Unit42
Threat Brief: CVE-2024-6387 OpenSSH RegreSSHion Vulnerability
blogs_unit42·2024-07-02·CVSS 8.1
CVE-2024-6387 [HIGH] Threat Brief: CVE-2024-6387 OpenSSH RegreSSHion Vulnerability
## Executive Summary
On July 1, 2024, a critical signal handler race condition vulnerability was disclosed in OpenSSH servers (sshd) on glibc-based Linux systems. This vulnerability, called RegreSSHion and tracked as CVE-2024-6387, can result in unauthenticated remote code execution (RCE) with root privileges. This vulnerability has been rated High severity (CVSS 8.1).
This vulnerability impacts the following OpenSSH server versions:
- Open SSH version between 8.5p1-9.8p1
- Open SSH versions earlier than 4.4p1, if they’ve not backport-patched against CVE-2006-5051 or patched against CVE-2008-4109
The SSH features in PAN-OS are not affected by CVE-2024-6387.
Using Palo Alto Networks Xpanse data, we observed 23 million instances of OpenSSH servers including all versions. We saw over 7 m
Unit42
Threat Brief: CVE-2024-6387 OpenSSH RegreSSHion Vulnerability
blogs_unit42·2024-07-02·CVSS 8.1
CVE-2024-6387 [HIGH] Threat Brief: CVE-2024-6387 OpenSSH RegreSSHion Vulnerability
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: CVE-2024-6387 OpenSSH RegreSSHion Vulnerability
Unit 42
Published: July 2, 2024
Cloud Cybersecurity Research
High Profile Threats
Vulnerabilities
CVE-2024-6387
OpenSSH
RegreSSHion
Remote Code Execution
SSH
## Executive Summary
On July 1, 2024, a critical signal handler race condition vulnerability was disclosed in OpenSSH servers ( sshd ) on glibc-based Linux systems. This vulnerability, called RegreSSHion and tracked as CVE-2024-6387 , can result in unauthenticated remote code execution (RCE) with root privileges. This vulnerability has been rated High severity ( CVSS 8.1 ).
This vulnerability impacts the following OpenSSH server versions:
Open SSH version between 8.5p1-9.8p1
Open SSH versio
Wiz
RCE vulnerability in OpenSSH: everything you need to know | Wiz Blog
blogs_wiz·2024-07-01·CVSS 8.1
CVE-2024-6387 [HIGH] RCE vulnerability in OpenSSH: everything you need to know | Wiz Blog
An unauthenticated RCE-as-root vulnerability was identified in OpenSSH server (sshd) by researchers from Qualys, assigned CVE-2024-6387 and dubbed regreSSHion. The vulnerability is a signal handler race condition and is known to be exploitable in the default configuration of OpenSSH in specific version ranges running on 32-bit glibc-based Linux distributions.
## What is CVE-2024-6387?
LoginGraceTime
syslog()
syslog()
malloc()
free()
The researchers who discovered this vulnerability analyzed the root cause and determined it to be a regression of an earlier vulnerability (CVE-2006-5051), meaning that the original vulnerability was accidentally reintroduced due to other code changes.
## How likely is this vulnerability to be exploited en masse?
Based on what is currently known about
Qualys
OpenSSH CVE-2024-6387 RCE Vulnerability: Risk & Mitigation | Qualys
blogs_qualys·2024-07-01·CVSS 8.1
CVE-2024-6387 [HIGH] OpenSSH CVE-2024-6387 RCE Vulnerability: Risk & Mitigation | Qualys
#### Table of Contents
- About OpenSSH: Securing SSH Communications and Protecting Infrastructure from OpenSSH Vulnerabilities
- OpenSSH Server Versions Affected by the regreSSHion Vulnerability
- Understanding the Potential Impact of regreSSHion Vulnerability on OpenSSH Exploits
- Immediate Steps to Mitigate the SSH Vulnerability
- Technical Details of the OpenSSH Exploit (CVE-2024-6387)
- Qualys QID Coverage for Detecting the OpenSSH Exploit
- Discover Vulnerable OpenSSH Assets with Qualys CyberSecurity Asset Management (CSAM)
- Enhancing Your Security Posture with Qualys VMDR to Detect and Remediate OpenSSH Vulnerabilities
- Unified Dashboard for regreSSHion: Track Exposure and Remediation of OpenSSH Exploits
- Automatically Patch regreSSHion Vulnerabilities with Qualys Patch Managemen
Wiz
RCE vulnerability in OpenSSH: everything you need to know | Wiz Blog
blogs_wiz·2024-07-01·CVSS 8.1
CVE-2024-6387 [HIGH] RCE vulnerability in OpenSSH: everything you need to know | Wiz Blog
An unauthenticated RCE-as-root vulnerability was identified in OpenSSH server (sshd) by researchers from Qualys, assigned CVE-2024-6387 and dubbed regreSSHion. The vulnerability is a signal handler race condition and is known to be exploitable in the default configuration of OpenSSH in specific version ranges running on 32-bit glibc-based Linux distributions.
# What is CVE-2024-6387?
A signal handler race condition vulnerability was discovered in OpenSSH server (sshd) affecting its default configuration. If an SSH client fails to authenticate within the `LoginGraceTime` period (120 seconds by default), then the SIGALRM (signal alarm) handler is called asynchronously, but some of the functions that it calls are not async-signal-safe, including `syslog()`. In glibc-based Linux distros, und
Qualys
Remote Unauthenticated Code Execution Vulnerability in OpenSSH Server (regreSSHion)
blogs_qualys·2024-07-01·CVSS 8.1
CVE-2024-6387 [HIGH] Remote Unauthenticated Code Execution Vulnerability in OpenSSH Server (regreSSHion)
## Table of Contents
About OpenSSH: Securing SSH Communications and Protecting Infrastructure from OpenSSH Vulnerabilities
OpenSSH Server Versions Affected by the regreSSHion Vulnerability
Understanding the Potential Impact of regreSSHion Vulnerability on OpenSSH Exploits
Immediate Steps to Mitigate the SSH Vulnerability
Technical Details of the OpenSSH Exploit (CVE-2024-6387)
Qualys QID Coverage for Detecting the OpenSSH Exploit
Discover Vulnerable OpenSSH Assets with Qualys CyberSecurity Asset Management (CSAM)
Enhancing Your Security Posture with Qualys VMDR to Detect and Remediate OpenSSH Vulnerabilities
Unified Dashboard for regreSSHion: Track Exposure and Remediation of OpenSSH Exploits
Automatically Patch regreSSHion Vulnerabilities with Qualys Patch Management
Detect and
Bugzilla
CVE-2024-6387 openssh: regreSSHion - race condition in SSH allows RCE/DoS
bugzilla·2024-06-27·CVSS 8.1
CVE-2024-6387 [HIGH] CVE-2024-6387 openssh: regreSSHion - race condition in SSH allows RCE/DoS
CVE-2024-6387 openssh: regreSSHion - race condition in SSH allows RCE/DoS
We discovered a vulnerability (a signal handler race condition) in OpenSSH's server (sshd): if a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously, but this signal handler calls various functions that are not async-signal-safe (for example, syslog()).
On investigation, we realized that this vulnerability is in fact a regression of CVE-2006-5051 ("Signal handler race condition in OpenSSH
before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code"), which was reported in 2006 by
Mark Dowd.
This regression was introduced in October 2020 (OpenSSH 8.5p1) by commi
Bugzilla
CVE-2006-4924 openssh DoS (also CVE-2006-5051) (also for RHL7.3: CVE-2006-0225, CVE-2003-0386)
bugzilla·2006-09-30·CVSS 7.5
CVE-2006-4924 [HIGH] CVE-2006-4924 openssh DoS (also CVE-2006-5051) (also for RHL7.3: CVE-2006-0225, CVE-2003-0386)
CVE-2006-4924 openssh DoS (also CVE-2006-5051) (also for RHL7.3: CVE-2006-0225, CVE-2003-0386)
creating as a clone of bug 207955 (and also bug 207957 which is for fc5) --
create clone doens't seemt o be workign for me for some reason, so copy/pasted
int he description from those bugs.
Tavis Ormandy of the Google Security Team discovered a denial of service attack
on the openssh sshd daemon when ssh protocol version 1 is enabled. This flaw
will cause the openssh server to consume a large quantity of the CPU until the
specified timeout is reached.
The upstream patches can be found here:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/deattack.c.diff?r1=1.29&r2=1.30&sortby=date&f=h
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/packet.c.diff?r1=1.143&r2=1.144&sortby=date&f=h
h
Bugzilla
CVE-2006-5051 unsafe GSSAPI signal handler
bugzilla·2006-09-28·CVSS 8.1
CVE-2006-5051 [HIGH] CVE-2006-5051 unsafe GSSAPI signal handler
CVE-2006-5051 unsafe GSSAPI signal handler
+++ This bug was initially created as a clone of Bug #208347 +++
OpenSSH 4.4 was released and mentions:
* Fix an unsafe signal hander reported by Mark Dowd. The
signal handler was vulnerable to a race condition that could
be exploited to perform a pre-authentication denial of
service. On portable OpenSSH, this vulnerability could
theoretically lead to pre-authentication remote code execution
if GSSAPI authentication is enabled, but the likelihood of
successful exploitation appears remote.
-- Additional comment from [email protected] on 2006-09-28 11:17 EST --
I've done some analysis of this issue and received a mail from Mark Dowd
regarding this vulnerability. The upstream details are misleading.
The problem is that the signal handling in o
Bugzilla
CVE-2006-5051 unsafe GSSAPI signal handler
bugzilla·2006-09-28·CVSS 8.1
CVE-2006-5051 [HIGH] CVE-2006-5051 unsafe GSSAPI signal handler
CVE-2006-5051 unsafe GSSAPI signal handler
+++ This bug was initially created as a clone of Bug #208347 +++
OpenSSH 4.4 was released and mentions:
* Fix an unsafe signal hander reported by Mark Dowd. The
signal handler was vulnerable to a race condition that could
be exploited to perform a pre-authentication denial of
service. On portable OpenSSH, this vulnerability could
theoretically lead to pre-authentication remote code execution
if GSSAPI authentication is enabled, but the likelihood of
successful exploitation appears remote.
-- Additional comment from [email protected] on 2006-09-28 11:17 EST --
I've done some analysis of this issue and received a mail from Mark Dowd
regarding this vulnerability. The upstream details are misleading.
The problem is that the signal handling in
Bugzilla
CVE-2006-5051 unsafe GSSAPI signal handler
bugzilla·2006-09-27·CVSS 8.1
CVE-2006-5051 [HIGH] CVE-2006-5051 unsafe GSSAPI signal handler
CVE-2006-5051 unsafe GSSAPI signal handler
OpenSSH 4.4 was released and mentions:
* Fix an unsafe signal hander reported by Mark Dowd. The
signal handler was vulnerable to a race condition that could
be exploited to perform a pre-authentication denial of
service. On portable OpenSSH, this vulnerability could
theoretically lead to pre-authentication remote code execution
if GSSAPI authentication is enabled, but the likelihood of
successful exploitation appears remote.
This could only affect RHEL4 as previous RHEL did not support GSSAPI
Discussion:
I've done some analysis of this issue and received a mail from Mark Dowd
regarding this vulnerability. The upstream details are misleading.
The problem is that the signal handling in openssh does quite a lot and can
introduce a race conditio
CWE
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
mitre_cwe
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
A race condition occurs within concurrent environments, and it is effectively a property of a code sequence. Depending on the context, a code sequence may be in the form of a function call, a small number of instructions, a series of program invocations, etc. A race condition violates these properties, which are closely related: Exclusivity - the code sequence is given exclusive access to the shared resource, i.e., no other code sequence can modify properties
CWE
Multiple Releases of Same Resource or Handle
mitre_cwe
CWE-1341 Multiple Releases of Same Resource or Handle
CWE-1341: Multiple Releases of Same Resource or Handle
The product attempts to close or release a resource or handle more than once, without any successful open between the close operations.
Code typically requires "opening" handles or references to resources such as memory, files, devices, socket connections, services, etc. When the code is finished with using the resource, it is typically expected to "close" or "release" the resource, which indicates to the environment (such as the OS) that the resource can be re-assigned or reused by unrelated processes or actors - or in some cases, within the same process. API functions or other abstractions are often used to perform this release, such as free() or delete() within C/C++, or file-handle close() operations that are used in many languag
CWE
Double Free
mitre_cwe
CWE-415 Double Free
CWE-415: Double Free
The product calls free() twice on the same memory address.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Integrity, Confidentiality, Availability. Impact: Modify Memory, Execute Unauthorized Code or Commands. When a program calls free() twice with the same argument, the program's memory management data structures may become corrupted, potentially leading to the reading or modification of unexpected memory addresses. This corruption can cause the program to crash or, in some circumstances, cause two later calls to malloc() to return the same pointer. If malloc() returns the same value twice and the program later gives the attacker control over the data that is written into this doubly-allocated memory, the program becomes vulnerable to a bu
CWE
Operation on Resource in Wrong Phase of Lifetime
mitre_cwe
CWE-666 Operation on Resource in Wrong Phase of Lifetime
CWE-666: Operation on Resource in Wrong Phase of Lifetime
The product performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors.
A resource's lifecycle includes several phases: initialization, use, and release. For each phase, it is important to follow the specifications outlined for how to operate on the resource and to ensure that the resource is in the expected phase. Otherwise, if a resource is in one phase but the operation is not valid for that phase (i.e., an incorrect phase of the resource's lifetime), then this can produce resultant weaknesses. For example, using a resource before it has been fully initialized could cause corruption or incorrect data to be used.
Modes of Introduction:
Phase: Implementation
Common
CWE
Signal Handler with Functionality that is not Asynchronous-Safe
mitre_cwe
CWE-828 Signal Handler with Functionality that is not Asynchronous-Safe
CWE-828: Signal Handler with Functionality that is not Asynchronous-Safe
The product defines a signal handler that contains code sequences that are not asynchronous-safe, i.e., the functionality is not reentrant, or it can be interrupted.
This can lead to an unexpected system state with a variety of potential consequences depending on context, including denial of service and code execution. Signal handlers are typically intended to interrupt normal functionality of a program, or even other signals, in order to notify the process of an event. When a signal handler uses global or static variables, or invokes functions that ultimately depend on such state or its associated metadata, then it could corrupt system state that is being used by normal functionality. This could subject the program
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:22.openssh.ascftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.aschttp://docs.info.apple.com/article.html?artnum=305214http://lists.apple.com/archives/security-announce/2007/Mar/msg00002.htmlhttp://lists.freebsd.org/pipermail/freebsd-security/2006-October/004051.htmlhttp://marc.info/?l=openssh-unix-dev&m=115939141729160&w=2http://openssh.org/txt/release-4.4http://secunia.com/advisories/22158http://secunia.com/advisories/22173http://secunia.com/advisories/22183http://secunia.com/advisories/22196http://secunia.com/advisories/22208http://secunia.com/advisories/22236http://secunia.com/advisories/22245http://secunia.com/advisories/22270http://secunia.com/advisories/22352http://secunia.com/advisories/22362http://secunia.com/advisories/22487http://secunia.com/advisories/22495http://secunia.com/advisories/22823http://secunia.com/advisories/22926http://secunia.com/advisories/23680http://secunia.com/advisories/24479http://secunia.com/advisories/24799http://secunia.com/advisories/24805http://security.freebsd.org/advisories/FreeBSD-SA-06%3A22.openssh.aschttp://security.gentoo.org/glsa/glsa-200611-06.xmlhttp://securitytracker.com/id?1016940http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.592566http://sourceforge.net/forum/forum.php?forum_id=681763http://support.avaya.com/elmodocs2/security/ASA-2006-216.htmhttp://www-unix.globus.org/mail_archive/security-announce/2007/04/msg00000.htmlhttp://www.arkoon.fr/upload/alertes/36AK-2006-07-FR-1.0_FAST360_OPENSSH.pdfhttp://www.arkoon.fr/upload/alertes/43AK-2006-09-FR-1.0_SSL360_OPENSSH.pdfhttp://www.debian.org/security/2006/dsa-1189http://www.debian.org/security/2006/dsa-1212http://www.kb.cert.org/vuls/id/851340http://www.mandriva.com/security/advisories?name=MDKSA-2006:179http://www.novell.com/linux/security/advisories/2006_62_openssh.htmlhttp://www.openbsd.org/errata.html#sshhttp://www.openpkg.org/security/advisories/OpenPKG-SA-2006.022-openssh.htmlhttp://www.openwall.com/lists/oss-security/2024/07/01/3http://www.openwall.com/lists/oss-security/2024/07/28/3http://www.osvdb.org/29264http://www.redhat.com/support/errata/RHSA-2006-0697.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0698.htmlhttp://www.securityfocus.com/bid/20241http://www.ubuntu.com/usn/usn-355-1http://www.us-cert.gov/cas/techalerts/TA07-072A.htmlhttp://www.vmware.com/support/vi3/doc/esx-3069097-patch.htmlhttp://www.vmware.com/support/vi3/doc/esx-9986131-patch.htmlhttp://www.vupen.com/english/advisories/2006/4018http://www.vupen.com/english/advisories/2006/4329http://www.vupen.com/english/advisories/2007/0930http://www.vupen.com/english/advisories/2007/1332https://exchange.xforce.ibmcloud.com/vulnerabilities/29254https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11387https://www.openwall.com/lists/oss-security/2024/07/28/3ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:22.openssh.ascftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.aschttp://docs.info.apple.com/article.html?artnum=305214http://lists.apple.com/archives/security-announce/2007/Mar/msg00002.htmlhttp://lists.freebsd.org/pipermail/freebsd-security/2006-October/004051.htmlhttp://marc.info/?l=openssh-unix-dev&m=115939141729160&w=2http://openssh.org/txt/release-4.4http://secunia.com/advisories/22158http://secunia.com/advisories/22173http://secunia.com/advisories/22183http://secunia.com/advisories/22196http://secunia.com/advisories/22208http://secunia.com/advisories/22236http://secunia.com/advisories/22245http://secunia.com/advisories/22270http://secunia.com/advisories/22352http://secunia.com/advisories/22362http://secunia.com/advisories/22487http://secunia.com/advisories/22495http://secunia.com/advisories/22823http://secunia.com/advisories/22926http://secunia.com/advisories/23680http://secunia.com/advisories/24479http://secunia.com/advisories/24799http://secunia.com/advisories/24805http://security.freebsd.org/advisories/FreeBSD-SA-06%3A22.openssh.aschttp://security.gentoo.org/glsa/glsa-200611-06.xmlhttp://securitytracker.com/id?1016940http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.592566http://sourceforge.net/forum/forum.php?forum_id=681763http://support.avaya.com/elmodocs2/security/ASA-2006-216.htmhttp://www-unix.globus.org/mail_archive/security-announce/2007/04/msg00000.htmlhttp://www.arkoon.fr/upload/alertes/36AK-2006-07-FR-1.0_FAST360_OPENSSH.pdfhttp://www.arkoon.fr/upload/alertes/43AK-2006-09-FR-1.0_SSL360_OPENSSH.pdfhttp://www.debian.org/security/2006/dsa-1189http://www.debian.org/security/2006/dsa-1212http://www.kb.cert.org/vuls/id/851340http://www.mandriva.com/security/advisories?name=MDKSA-2006:179http://www.novell.com/linux/security/advisories/2006_62_openssh.htmlhttp://www.openbsd.org/errata.html#sshhttp://www.openpkg.org/security/advisories/OpenPKG-SA-2006.022-openssh.htmlhttp://www.openwall.com/lists/oss-security/2024/07/01/3
+ 16 more references
2006-09-27
Published