CVE-2024-6409
published 2024-07-08CVE-2024-6409: A race condition vulnerability was discovered in how signals are handled by OpenSSH's server (sshd). If a remote attacker does not authenticate within a set…
PriorityP181high7CVSS 3.1
AVNACHPRNUINSUCLILAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
27.93%
97.9th percentile
A race condition vulnerability was discovered in how signals are handled by OpenSSH's server (sshd). If a remote attacker does not authenticate within a set time period, then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). As a consequence of a successful attack, in the worst case scenario, an attacker may be able to perform a remote code execution (RCE) as an unprivileged user running the sshd server.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | openssh | — | — |
| paloalto | pan-os | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect multiple SSH connection attempts indicative of race condition exploitation (thousands of connections needed to trigger SIGALRM race condition) ↗
- →Detect SSH server traffic patterns associated with CVE-2024-6409/CVE-2024-6387 exploitation attempts ↗
- →Monitor for fake/malicious PoC archives circulating on social media that modify system files and retrieve payloads from remote servers — researchers testing CVE-2024-6387 PoCs may have security features disabled ↗
- →CVE-2024-6409 race condition triggers in cleanup_exit() called from grace_alarm_handler() in the privsep child process — monitor for abnormal sshd child process termination patterns ↗
- →Exploitation requires repeated LoginGraceTime expiry cycles — monitor for high volumes of SSH connections that each time out without authenticating within the grace period ↗
- ·Setting LoginGraceTime to 0 mitigates both CVE-2024-6387 and CVE-2024-6409 but may introduce denial-of-service risks ↗
- ·Affected OpenSSH versions are up to 4.4p1 and 8.5p1 through 9.7p1 on Linux/glibc systems; exploitation on 64-bit systems is significantly harder due to ASLR entropy ↗
CVSS provenance
nvdv3.17.0HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
vulncheck7.0HIGH
vendor_redhat8.1HIGH
vendor_debian7.0LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-79hg-h6r6-64mm: A signal handler race condition vulnerability was found in OpenSSH's server (sshd), where a client does not authenticate within LoginGraceTime seconds
ghsa_unreviewed·2024-07-08·CVSS 8.1
CVE-2024-6409 [HIGH] CWE-364 GHSA-79hg-h6r6-64mm: A signal handler race condition vulnerability was found in OpenSSH's server (sshd), where a client does not authenticate within LoginGraceTime seconds
A signal handler race condition vulnerability was found in OpenSSH's server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). This issue leaves it vulnerable to a signal handler race condition on the cleanup_exit() function, which introduces the same vulnerability as CVE-2024-6387 in the unprivileged child of the SSHD server.
VulnCheck
GNU grub2 Signal Handler Race Condition
vulncheck·2024·CVSS 7.0
CVE-2024-6409 [HIGH] GNU grub2 Signal Handler Race Condition
GNU grub2 Signal Handler Race Condition
A race condition vulnerability was discovered in how signals are handled by OpenSSH's server (sshd). If a remote attacker does not authenticate within a set time period, then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). As a consequence of a successful attack, in the worst case scenario, an attacker may be able to perform a remote code execution (RCE) as an unprivileged user running the sshd server.
Affected: GNU grub2
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://content.kaspersky-labs.com/fm/si
Palo Alto
PAN-SA-2025-0006 Informational Bulletin: Impact of OSS CVEs in PAN-OS
vendor_paloalto·2025-02-12·CVSS 7.1
CVE-2015-5312 [HIGH] PAN-SA-2025-0006 Informational Bulletin: Impact of OSS CVEs in PAN-OS
PAN-SA-2025-0006 Informational Bulletin: Impact of OSS CVEs in PAN-OS
T he Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the
CVEs: CVE-2015-5312, CVE-2016-4607, CVE-2016-4608, CVE-2016-4609, CVE-2016-4738, CVE-2018-1111, CVE-2018-14634, CVE-2018-18653, CVE-2019-0145, CVE-2019-8331, CVE-2020-0599, CVE-2020-14343, CVE-2020-14779, CVE-2020-27844, CVE-2020-29569, CVE-2021-21315, CVE-2021-27853, CVE-2021-27854, CVE-2021-27861, CVE-2021-27862, CVE-2021-3618, CVE-2021-3711, CVE-2022-2097, CVE-2022-22816, CVE-2022-40303, CVE-2022-41723, CVE-2022-41741, CVE-2022-41742, CVE-2023-3247, CVE-2023-38408, CVE-2023-44466, CVE-2023-50781, CVE-2023-50782, CVE-2024-12084, CV
Red Hat
openssh: Possible remote code execution due to a race condition in signal handling affecting Red Hat Enterprise Linux 9
vendor_redhat·2024-07-08·CVSS 8.1
CVE-2024-6409 [HIGH] CWE-364 openssh: Possible remote code execution due to a race condition in signal handling affecting Red Hat Enterprise Linux 9
openssh: Possible remote code execution due to a race condition in signal handling affecting Red Hat Enterprise Linux 9
A race condition vulnerability was discovered in how signals are handled by OpenSSH's server (sshd). If a remote attacker does not authenticate within a set time period, then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). As a consequence of a successful attack, in the worst case scenario, an attacker may be able to perform a remote code execution (RCE) as an unprivileged user running the sshd server.
A race condition vulnerability was discovered in how signals are handled by OpenSSH's server (sshd). If a remote attacker does not authenticate within a set time p
Debian
CVE-2024-6409: openssh - A race condition vulnerability was discovered in how signals are handled by Open...
vendor_debian·2024·CVSS 7.0
CVE-2024-6409 [HIGH] CVE-2024-6409: openssh - A race condition vulnerability was discovered in how signals are handled by Open...
A race condition vulnerability was discovered in how signals are handled by OpenSSH's server (sshd). If a remote attacker does not authenticate within a set time period, then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). As a consequence of a successful attack, in the worst case scenario, an attacker may be able to perform a remote code execution (RCE) as an unprivileged user running the sshd server.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
Suricata
ET INFO Server Responded with Vulnerable OpenSSH Version (CVE-2024-6409)
suricata·2024-07-09·CVSS 7.0
CVE-2024-6409 [HIGH] ET INFO Server Responded with Vulnerable OpenSSH Version (CVE-2024-6409)
ET INFO Server Responded with Vulnerable OpenSSH Version (CVE-2024-6409)
Rule: alert ssh any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Server Responded with Vulnerable OpenSSH Version (CVE-2024-6409)"; flow:established,to_client; content:"SSH-"; startswith; content:"-OpenSSH_"; fast_pattern; pcre:"/^8\.[78](?:p\d)?/R"; reference:cve,2024-6409; classtype:successful-recon-largescale; sid:2054407; rev:1; metadata:affected_product OpenSSH, attack_target Server, created_at 2024_07_09, cve CVE_2024_6409, deployment Perimeter, deployment Internal, performance_impact Moderate, confidence High, signature_severity Informational, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_07_09;)
Suricata
ET WEB_SPECIFIC_APPS AvailScript Article Script articles.php aIDS Parameter SQL Injection
suricata·2010-07-30·CVSS 7.5
CVE-2008-4371 [HIGH] ET WEB_SPECIFIC_APPS AvailScript Article Script articles.php aIDS Parameter SQL Injection
ET WEB_SPECIFIC_APPS AvailScript Article Script articles.php aIDS Parameter SQL Injection
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AvailScript Article Script articles.php aIDS Parameter SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/articles.php?"; nocase; content:"aIDS="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2008-4371; reference:url,secunia.com/advisories/31816/; reference:url,milw0rm.com/exploits/6409; classtype:web-application-attack; sid:2009747; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2024_03_06, mitre_t
No public exploits indexed.
Zscaler
CVE-2025-29927: Next.js Middleware Flaw | ThreatLabz
blogs_zscaler·2025-03-27·CVSS 9.1
[CRITICAL] CVE-2025-29927: Next.js Middleware Flaw | ThreatLabz
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Zscaler
CVE-2024-6387 & CVE-2024-6409 | ThreatLabz
blogs_zscaler·2024-08-05·CVSS 8.1
[HIGH] CVE-2024-6387 & CVE-2024-6409 | ThreatLabz
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Trendmicro
The Potential Impact of the OpenSSH Vulnerabilities CVE-2024–6387 and CVE-2024-6409
blogs_trendmicro·2024-07-17·CVSS 7.0
CVE-2024-6409 [HIGH] The Potential Impact of the OpenSSH Vulnerabilities CVE-2024–6387 and CVE-2024-6409
Exploits y vulnerabilidades
## The Potential Impact of the OpenSSH Vulnerabilities CVE-2024–6387 and CVE-2024-6409
We check the OpenSSH vulnerabilities CVE-2024–6387 and CVE-2024-6409, examining their potential real-world impact and the possibility of exploitation for CVE-2024–6387 in x64 systems.
By: Jagir Shastri Jul 17, 2024 Read time: ( words)
Save to Folio
The “regreSSHion” vulnerability arises from the unsafe handling of the SIGALRM signal during SSH authentication. When the LoginGraceTime expires, the SIGALRM signal is raised, and the corresponding handler performs certain actions, including calling non-async-signal-safe functions like syslog(). This can create a race condition, where the timing of operations could lead to memory corruption or other unexpected behaviors.
Trendmicro
The Potential Impact of the OpenSSH Vulnerabilities CVE-2024–6387 and CVE-2024-6409
blogs_trendmicro·2024-07-17·CVSS 8.1
CVE-2024-6387 [HIGH] The Potential Impact of the OpenSSH Vulnerabilities CVE-2024–6387 and CVE-2024-6409
Exploits & Vulnerabilities
# The Potential Impact of the OpenSSH Vulnerabilities CVE-2024–6387 and CVE-2024-6409
We check the OpenSSH vulnerabilities CVE-2024–6387 and CVE-2024-6409, examining their potential real-world impact and the possibility of exploitation for CVE-2024–6387 in x64 systems.
By: Jagir Shastri
2024/07/17
Read time: ( words)
Save to Folio
# Introduction
CVE-2024–6387, also known as “regreSSHion,” is a vulnerability that exists in OpenSSH, a widely-used suite of secure networking utilities based on the SSH protocol. This vulnerability, which was discovered in July 2024, allows for remote unauthenticated code execution, potentially providing attackers root privileges on affected systems. The Common Vulnerability Scoring System (CVSS) has rated this vulnerability wit
Trendmicro
The Potential Impact of the OpenSSH Vulnerabilities CVE-2024–6387 and CVE-2024-6409
blogs_trendmicro·2024-07-17·CVSS 7.0
CVE-2024-6409 [HIGH] The Potential Impact of the OpenSSH Vulnerabilities CVE-2024–6387 and CVE-2024-6409
Ausnutzung von Schwachstellen
## The Potential Impact of the OpenSSH Vulnerabilities CVE-2024–6387 and CVE-2024-6409
We check the OpenSSH vulnerabilities CVE-2024–6387 and CVE-2024-6409, examining their potential real-world impact and the possibility of exploitation for CVE-2024–6387 in x64 systems.
By: Jagir Shastri Jul 17, 2024 Read time: ( words)
Save to Folio
The “regreSSHion” vulnerability arises from the unsafe handling of the SIGALRM signal during SSH authentication. When the LoginGraceTime expires, the SIGALRM signal is raised, and the corresponding handler performs certain actions, including calling non-async-signal-safe functions like syslog(). This can create a race condition, where the timing of operations could lead to memory corruption or other unexpected behaviors.
Trendmicro
The Potential Impact of the OpenSSH Vulnerabilities CVE-2024–6387 and CVE-2024-6409
blogs_trendmicro·2024-07-17·CVSS 7.0
CVE-2024-6409 [HIGH] The Potential Impact of the OpenSSH Vulnerabilities CVE-2024–6387 and CVE-2024-6409
Exploits & Vulnerabilities
## The Potential Impact of the OpenSSH Vulnerabilities CVE-2024–6387 and CVE-2024-6409
We check the OpenSSH vulnerabilities CVE-2024–6387 and CVE-2024-6409, examining their potential real-world impact and the possibility of exploitation for CVE-2024–6387 in x64 systems.
By: Jagir Shastri 2024/07/17 Read time: ( words)
Save to Folio
The “regreSSHion” vulnerability arises from the unsafe handling of the SIGALRM signal during SSH authentication. When the LoginGraceTime expires, the SIGALRM signal is raised, and the corresponding handler performs certain actions, including calling non-async-signal-safe functions like syslog(). This can create a race condition, where the timing of operations could lead to memory corruption or other unexpected behaviors.
Trendmicro
The Potential Impact of the OpenSSH Vulnerabilities CVE-2024–6387 and CVE-2024-6409
blogs_trendmicro·2024-07-17·CVSS 7.0
CVE-2024-6409 [HIGH] The Potential Impact of the OpenSSH Vulnerabilities CVE-2024–6387 and CVE-2024-6409
Exploits & Vulnerabilities
## The Potential Impact of the OpenSSH Vulnerabilities CVE-2024–6387 and CVE-2024-6409
We check the OpenSSH vulnerabilities CVE-2024–6387 and CVE-2024-6409, examining their potential real-world impact and the possibility of exploitation for CVE-2024–6387 in x64 systems.
By: Jagir Shastri Jul 17, 2024 Read time: ( words)
Save to Folio
The “regreSSHion” vulnerability arises from the unsafe handling of the SIGALRM signal during SSH authentication. When the LoginGraceTime expires, the SIGALRM signal is raised, and the corresponding handler performs certain actions, including calling non-async-signal-safe functions like syslog(). This can create a race condition, where the timing of operations could lead to memory corruption or other unexpected behaviors.
Greynoiseio
Storm⚡Watch: Unplugged
blogs_greynoiseio
Storm⚡Watch: Unplugged
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bugzilla
CVE-2024-6409 openssh: Possible remote code execution due to a race condition in signal handling affecting Red Hat Enterprise Linux 9
bugzilla·2024-07-01·CVSS 8.1
CVE-2024-6409 [HIGH] CVE-2024-6409 openssh: Possible remote code execution due to a race condition in signal handling affecting Red Hat Enterprise Linux 9
CVE-2024-6409 openssh: Possible remote code execution due to a race condition in signal handling affecting Red Hat Enterprise Linux 9
The OpenSSH version as shipped with Red Hat Enterprise Linux 9 is vulnerable to a signal handler race condition on cleanup_exit() function which introduces the same vulnerability as CVE-2024-6387 in the unprivileged child of the SSHD server. This vulnerability only affects the versions of OpenSSH shipped with Red Hat Enterprise Linux 9.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9
Via RHSA-2024:4457 https://access.redhat.com/errata/RHSA-2024:4457
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9.2 Extended Update Support
Via RHSA-2024:4716 https://access.redhat.
https://access.redhat.com/errata/RHSA-2024:4457https://access.redhat.com/errata/RHSA-2024:4613https://access.redhat.com/errata/RHSA-2024:4716https://access.redhat.com/errata/RHSA-2024:4910https://access.redhat.com/errata/RHSA-2024:4955https://access.redhat.com/errata/RHSA-2024:4960https://access.redhat.com/errata/RHSA-2024:5444https://access.redhat.com/security/cve/CVE-2024-6409https://bugzilla.redhat.com/show_bug.cgi?id=2295085http://www.openwall.com/lists/oss-security/2024/07/08/2http://www.openwall.com/lists/oss-security/2024/07/09/2http://www.openwall.com/lists/oss-security/2024/07/09/5http://www.openwall.com/lists/oss-security/2024/07/10/1http://www.openwall.com/lists/oss-security/2024/07/10/2https://access.redhat.com/errata/RHSA-2024:4457https://access.redhat.com/errata/RHSA-2024:4613https://access.redhat.com/errata/RHSA-2024:4716https://access.redhat.com/security/cve/CVE-2024-6409https://almalinux.org/blog/2024-07-09-cve-2024-6409/https://bugzilla.redhat.com/show_bug.cgi?id=2295085https://bugzilla.suse.com/show_bug.cgi?id=1227217https://explore.alas.aws.amazon.com/CVE-2024-6409.htmlhttps://github.com/openela-main/openssh/commit/c00da7741d42029e49047dd89e266d91dcfbffa0https://security-tracker.debian.org/tracker/CVE-2024-6409https://security.netapp.com/advisory/ntap-20240712-0003/https://sig-security.rocky.page/issues/CVE-2024-6409/https://ubuntu.com/security/CVE-2024-6409https://www.suse.com/security/cve/CVE-2024-6409.html
2024-07-08
Published
Exploited in the wild