CXO

Race Condition Vulnerability in OpenSSH (CVE-2024-6387): PoC Exploit Released

Race Condition Vulnerability in OpenSSH (CVE-2024-6387): PoC Exploit Released

OpenSSH is a suite of networking utilities based on the Secure Shell (SSH) protocol. It is extensively used for secure remote login, remote server management and administration, and file transfers via SCP and SFTP. OpenSSH server process ‘sshd’ is affected by a signal handler race condition allowing unauthenticated remote code execution with root privileges on glibc-based Linux systems.

Summary

Application	OpenSSH
Severity	High
CVSS	8.1
CVEs	CVE-2024-6387
Exploited in Wild	Yes
Patch/Remediation Available	Yes
Advisory Version	1.0

Overview

CVE-2024-6387, a high-severity vulnerability in OpenSSH’s server (sshd), has been identified and is currently being exploited in the wild. Known as “regreSSHion,” this flaw involves a sophisticated race condition during the authentication phase, allowing unauthenticated remote attackers to execute arbitrary code with root privileges.

A proof-of-concept (PoC) exploit for this critical vulnerability has been released, further raising concerns.

The vulnerability affects millions of OpenSSH servers globally, with older versions particularly at risk. Rated with a CVSS score of 8.1, the flaw poses a significant security threat. Over 14 million OpenSSH server instances exposed to the Internet have been identified as potentially vulnerable, with around 700,000 instances facing external internet threats.

Vulnerability Name	CVE ID	Product Affected	Severity	Fixed Version
Race Condition vulnerability	CVE-2024-6387	OpenSSH (8.5p1–9.8p1)	High	OpenSSH 9.8p2 or later

Technical Summary

CVE-2024-6387, also known as “regreSSHion,” is a critical vulnerability in OpenSSH’s server (sshd) caused by a signal handler race condition. This issue arises when the SIGALRM handler, triggered during a failed login attempt exceeding LoginGraceTime, invokes non-async-signal-safe functions like syslog(). The Vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privileges, primarily affecting glibc-based Linux systems.

Exploitation is technically complex but feasible and has been demonstrated in controlled environments on 32-bit systems. OpenBSD systems are unaffected due to their different signal-handling mechanisms.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2024-6387	OpenSSH v8.5p1 through 9.8p1 on glibc-based Linux systems	Signal handler race condition in sshd’s SIGALRM, triggered during login timeout (LoginGraceTime).	Remote Code Execution (Root Privileges)

Impact:

This Vulnerability if exploited could lead to complete system takeover.

Remediation:

Immediate Patch: Upgrade OpenSSH to version 9.8p2 or later, which resolves the issue.

Access Restrictions: Implement firewall rules or TCP wrappers to limit SSH access to trusted IP ranges.

Monitor Activity: Use intrusion detection systems (IDS) to analyze logs for unusual activity, failed login attempts, or exploitation patterns.

Indicators of Compromise (IOCs):

IP Address / Hostname	File Hash
209.141.53[.]247	0df799f05c6d97e2b7d4b26c8e7246f7
108.174.58[.]28	11cc5f00b466d4f9be4e0a46f2eb51ae
195.85.205[.]47	1f452448cea986aedc88ba50d48691f7
62.72.191[.]203	207eb58423234306edaecb3ec89935d8
botbot.ddosvps.cc

Below are some IOCs associated with the threat. For a complete list of IOCs, refer to the AlienVault Pulse for CVE-2024-6387

Conclusion:

The public release of a PoC exploit for CVE-2024-6387 marks a critical moment for organizations relying on OpenSSH. While exploitation requires significant effort, the potential impact of a successful attack—complete system compromise and privilege escalation—is severe.

Swift patching and the adoption of layered security measures are imperative to mitigate the risks.

Organizations must act promptly to safeguard their systems and monitor for signs of active exploitation. By staying informed and proactive, businesses can minimize the potential fallout from this serious vulnerability.

References:

https://cybersecuritynews.com/regresshion-code-execution-vulnerability/

https://exploitfinder.com/dbexploit/exploit.html?id=CVE-2024-6387&type=GitAI&returnTab=github-ai

https://nvd.nist.gov/vuln/detail/cve-2024-6387
https://www.yorku.ca/uit/2025/01/openssh-remote-code-execution-regresshion-cve-2024-6387/

Exploit Proof-of-Concept Released for Windows Lightweight Directory Access Protocol (LDAP CVE-2024-49113 )

CVE-2024-49113 LDAP

Denial of Service Vulnerability in DNS Security Feature of Palo Alto Networks PAN-OS

Summary

OEM	Palo Alto
Severity	High
CVSS	8.7
CVEs	CVE-2024-3393
Exploited in Wild	No
Patch/Remediation Available	Yes
Advisory Version	1.0

Overview

A Denial-of-Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.

Vulnerability Name	CVE ID	Product Affected	Severity	Affected Version
(DoS) in DNS Security Using a Specially Crafted Packet	CVE-2024-3393	Palo Alto	High	PAN-OS 11.2 – < 11.2.3* PAN-OS 11.1 – < 11.1.5* PAN-OS 10.2 – >= 10.2.8, <10.2.14 PAN-OS 10.1 – >= 10.1.14, <10.1.15

Technical Summary

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2024-3393	Palo Alto PAN-OS	CVE-2024-3393 is a high-severity DoS vulnerability in Palo Alto Networks PAN-OS exists in the DNS Security feature, where malformed DNS packets are improperly parsed and logged. If exploited, this vulnerability enables an unauthenticated attacker to remotely trigger a firewall reboot. Repeated exploitation attempts can cause the firewall to enter maintenance mode. CISA added it to the KEV catalog, with patching required by January 20, 2025.	Dos – Denial-of-Service

Remediation:

Update: Ensure that the appropriate patches or updates are applied to the relevant PAN-OS versions as listed below

PAN-OS Version	Fixes and Releases
PAN-OS 11.1	11.1.2-h16, 11.1.3-h13, 11.1.4-h7, 11.1.5
PAN-OS 10.2	10.2.8-h19, 10.2.9-h19, 10.2.10-h12, 10.2.11-h10, 10.2.12-h4, 10.2.13-h2, 10.2.14
PAN-OS 10.1	10.1.14-h8, 10.1.15
PAN-OS 10.2.9-h19	Only applicable to Prisma Access
PAN-OS 10.2.10-h12	Only applicable to Prisma Access
PAN-OS 11.0	No fix (reached end-of-life status on November 17, 2024)

Recommendations:

Avoid Using EOL Versions:

PAN-OS 11.0 is end-of-life (EOL) as of November 17, 2024. Ensure that you are not using this version and upgrade to be supported versions.

Monitoring & Incident Response:

Regularly monitor firewall logs for unusual behavior, especially DoS triggers.

For Prisma Access Users (Workaround):

Disable DNS Security logging across all NGFWs if patching cannot be applied immediately. This can be done by opening a support case with Palo Alto Networks.

References:

https://security.paloaltonetworks.com/CVE-2024-3393#:~:text=Description,firewall%20that%20reboots%20the%20firewall.

https://www.secpod.com/blog/palo-alto-pan-os-severe-vulnerability-cve-2024-3393-exploited/

https://nvd.nist.gov/vuln/detail/CVE-2024-3393

Cleo Releases Patch for Critical Vulnerabilities Exploited in the Wild

Summary

OEM	Cleo
Severity	Critical
CVSS score	9.8
CVE	CVE-2024-55956, CVE-2024-50623
Exploited in Wild	Yes
Patch/Remediation Available	Yes
Advisory Version	1.0

Overview

The Clop ransomware group has exploited critical vulnerabilities in Cleo’s Managed File Transfer (MFT) solutions, specifically targeting Cleo Harmony, VLTrader, and LexiCom. These vulnerabilities, identified as CVE-2024-50623 and CVE-2024-55956, allow unauthenticated attackers to execute arbitrary code on affected systems, leading to potential data breaches and system compromises.

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score	Fixed Version
Unauthenticated Command Execution	CVE-2024-55956	Cleo products	Critical	9.8	5.8.0.24 or latest
Unrestricted File Upload/Download Vulnerability	CVE-2024-50623	Cleo products	Critical	9.8	5.8.0.24 or latest

Technical Summary

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2024-55956	Cleo Harmony, VLTrader, LexiCom	This flaw enables unauthenticated users to import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory. Attackers can write a ZIP file containing a malicious XML file describing a new host. The malicious XML file contained a Mailbox action associated with the new host, which when run would execute an arbitrary OS command.	Execution of arbitrary commands, resulting in full system compromise.
CVE-2024-50623	Cleo Harmony, VLTrader, LexiCom	This vulnerability permits unauthenticated attackers to upload and download files without restrictions via the ‘/Synchronization’ endpoint. By uploading malicious files, attackers can achieve remote code execution. The exploitation involves writing malicious code to specific files, such as “webserverAjaxSwingconftemplatesdefault-pagebody-footerVL.html”, which is then leveraged to execute an attacker-controlled payload, potentially in the form of a webshell.	Unauthorized file manipulation and potential system compromise.

Remediations

Update Cleo Harmony, VLTrader, and LexiCom to the updated version 5.8.0.24 or latest one.

Recommendations

It is strongly advised to move any internet-exposed Cleo systems behind a firewall until patches are applied to prevent unauthorized exploitation.
Disable autorun files in Cleo software by clearing the “Autorun Directory” field under “Options” to limit the attack surface; this doesn’t resolve the file-write vulnerability.
Implement monitoring for signs of the “Cleopatra” backdoor and other malicious activities associated with Clop ransomware.
Conduct a thorough audit of your systems to identify any malicious files or abnormal system behavior associated with Cleo software. This includes checking logs, directories, and network traffic for unusual activities related to the known exploit chain.
If you have an EDR solution, block the attacker IPs associated with the exploit to prevent further external communication with compromised systems.
Ensure regular backups of critical data are performed and stored securely offline to facilitate recovery in case of any ransomware attack.

IOCs

Based on the research
These are the attacker IP addresses embedded in the encoded PowerShell

IP Address IOCs	File IOCs
176.123.5[.]126	60282967-dc91-40ef-a34c-38e992509c2c.xml
5.149.249[.]226	healthchecktemplate.txt
185.181.230[.]103	healthcheck.txt
209.127.12[.]38
181.214.147[.]164
192.119.99[.]42

References

Blue Yonder SaaS giant breached by Termite Ransomware Gang

The company acknowledged it is investigating claims by a public threat group linked to the November ransomware attack.