CVE-2024-6387 — regreSSHion
A race condition in OpenSSH’s sshd signal handler — a
regression of an older 2006-era issue (CVE-2006-5051) —
re-enabled remote RCE as root on glibc Linux servers running
affected sshd. The bug is reached through the
LoginGraceTime SIGALRM handler; the exploit is hard but
demonstrably real (Qualys published proof of concept).
Affected versions
- OpenSSH versions earlier than 4.4p1 — vulnerable to the original 2006 issue (and to this one if other patches weren’t backported).
- OpenSSH 4.4p1 through 8.5p1 — not vulnerable (the 2006 fix held).
- OpenSSH 8.5p1 through 9.7p1 — vulnerable (regression reintroduced).
- OpenSSH 9.8p1+ — patched.
OpenBSD’s native OpenSSH is not affected (the bug is glibc-specific). Linux distros backport patches at varying speeds; the right reference is your distro’s advisory.
Indicator-of-exposure
Detection:
ssh -V # Reports the OpenSSH version
sshd -V 2>&1 | head -1 # Sometimes more accurate
# Also verify against the distro advisory
apt-cache policy openssh-server
dnf info openssh-server
Sufficient exposure conditions:
- glibc Linux (i.e., not OpenBSD, FreeBSD, musl Alpine).
- OpenSSH version in the 8.5p1–9.7p1 window.
sshdreachable by an attacker.- Default
LoginGraceTime(120 seconds). The mitigation setting isLoginGraceTime 0, which closes the race window by removing the alarm.
A network-isolated sshd (only reachable from a bastion or
internal-only) is a smaller exposure surface but still
vulnerable to anyone who reaches the bastion.
Remediation strategy
- Upgrade OpenSSH to 9.8p1+ via the distro’s package manager.
- Mitigate with
LoginGraceTime 0in/etc/ssh/sshd_configuntil the upgrade lands. This removes the alarm-based race entirely; the cost is that a client hanging the auth handshake holds ansshdslot forever (aMaxStartupssetting becomes load-bearing). - Restart
sshdafter either action. - Audit auth logs for unexplained
sshd[<pid>]: fatal: Timeout before authenticationmessages — the published exploit signatures the failure pattern. - Treat as compromised any host whose
sshdwas the affected version and network-reachable to untrusted networks for an extended window. Rotate host keys; rotate any secret accessible fromsshd’s process memory.
When to use it
Use this recipe when a Linux host, container image, appliance, VM base image,
or infrastructure repository may run affected OpenSSH sshd on glibc Linux.
It is most important for public or bastion-reachable servers, management
containers, CI images, golden images, or fleets where sshd exposure and
restart ownership are split across teams.
Use it to distinguish package remediation from incident response: upgrade or mitigate, identify the restart owner, classify exposure, and produce host-key rotation and log-review actions when the service was reachable. Do not use it to bundle unrelated SSH hardening or firewall redesign into the same change.
Inputs
- Host inventories, image manifests, SBOMs, package locks, distro advisories, Terraform/Ansible/cloud-init/Packer config, container Dockerfiles, SSHD config, systemd units, and operational runbooks.
- OpenSSH server version evidence from
sshd -V, package managers, image scans, distro backport advisories, custom build metadata, and runtime inventory. - Platform and exposure evidence: glibc vs musl/BSD, listening interfaces,
firewall/bastion controls,
LoginGraceTime,MaxStartups, public internet reachability, auth logs, and exposure-window timing. - Operator-owned secrets and trust anchors reachable by
sshd: host keys, host certificates, PAM/AuthorizedKeysCommand outputs, deploy credentials, CI credentials, and artifacts produced on the host. - Change-control constraints for package upgrades, config mitigation, reload or restart timing, session impact, auth-log retention, key rotation, and host rebuilds.
The prompt
You are remediating CVE-2024-6387 (regreSSHion) on this host
or in this system image. Output exactly one of:
- A PR / change request upgrading OpenSSH and (optionally)
applying the `LoginGraceTime 0` mitigation, plus an IR
checklist for the operator.
- A TRIAGE.md if the host has been running affected `sshd`
on the public internet for an extended period.
This recipe is **not** auto-merge. The agent produces the PR;
the operator restarts `sshd` and decides on IR scope.
## Step 0 — Detect
1. Read OpenSSH server version: `sshd -V 2>&1 | head -1`.
2. Confirm the host is glibc Linux: `ldd --version | head -1`.
3. Read `/etc/ssh/sshd_config` for the current
`LoginGraceTime` value.
4. Determine network exposure: is `sshd` listening on a
public interface? Is it firewalled to a bastion?
## Step 1 — Classify
- **Not on glibc Linux** or **OpenSSH outside the affected
window:** document and stop.
- **Affected, not network-reachable from untrusted nets:**
upgrade + restart, no IR escalation.
- **Affected, network-reachable from the public internet for
an extended window:** treat as potentially compromised.
Write the IR checklist; do not auto-rotate keys.
## Step 2 — Upgrade
1. `apt upgrade openssh-server` /
`dnf upgrade openssh-server` to the distro's patched
version.
2. Verify the new version: `sshd -V`.
3. The PR body lists `systemctl restart sshd` as an
operator action. The agent does not restart the service.
## Step 3 — Mitigate (interim)
If the upgrade cannot ship immediately, propose a config
change:
```
# In /etc/ssh/sshd_config
LoginGraceTime 0
MaxStartups 10:30:100
```
`LoginGraceTime 0` removes the alarm entirely. Tighten
`MaxStartups` to keep an attacker from holding open many
slots. Recommend a `systemctl reload sshd` after the change.
## Step 4 — IR checklist (compromised classification)
The TRIAGE.md must include:
- Rotate SSH host keys.
- Audit `auth.log` / `journalctl -u ssh` for
`Timeout before authentication` lines and unusual login
patterns during the exposure window.
- Rotate any secret that lived in `sshd`'s process memory
during the window: pam credentials, host certificates,
any `AuthorizedKeysCommand` script outputs.
- Audit any deploy / CI workflows that authenticated to this
host during the window.
- Rebuild any artifact produced on the host while it was
affected and reachable.
## Stop conditions
- The host is non-glibc Linux (musl, BSD) — not affected.
- The host's distro has no patched OpenSSH packaged yet.
Apply the `LoginGraceTime 0` mitigation; triage with a
note about the missing package.
- The host's exposure window is unclear or the auth log
rotation has lost evidence.
## Scope
- Do not modify SSH client configuration.
- Do not modify firewall rules — mention them in the PR body
as a reviewer-considered defence-in-depth.
- Do not bundle unrelated CVEs.
- Do not run `systemctl restart sshd`. Restarting `sshd` is
the operator's call (severs in-flight sessions).
Verification — what the reviewer looks for
- The package version after upgrade matches the distro’s patched version.
- If the mitigation was applied:
LoginGraceTime 0is present andMaxStartupsis sane. - The PR body’s IR scope matches the host’s exposure classification — the reviewer doesn’t accept “it was internal” without seeing how that was confirmed.
- For compromised classification, confirm the IR actions were carried out before merge.
Watch for
- Distro version strings. Some distros backport patches
without bumping the upstream version string. The
authoritative check is the distro advisory, not
sshd -V. - Custom-compiled OpenSSH. Hosts running OpenSSH built from source do not get the distro patch. Treat as a separate remediation; rebuild from a clean tree.
MaxStartupsinteractions. SettingLoginGraceTime 0without raisingMaxStartupscan become an availability bug — clients failing-to-authenticate hold slots forever. Tune both together.- Bastion-only exposure isn’t no exposure. A bastion that itself is reachable becomes the same target. The IR scope should follow the chain.
- Containerised sshd. Some images run
sshdfor management. Image bumps follow the base-image workflow; this recipe applies to the package inside the container.
Output contract
Return one of:
- A reviewer-ready PR/change request that upgrades the controlled OpenSSH
package or image, optionally applies
LoginGraceTime 0with saneMaxStartupsas an interim mitigation, identifies restart/reload actions, verifies the distro-patched status, and attaches an operator IR checklist. TRIAGE.mdwhen public or unclear exposure requires incident handling, no patched distro package is available, custom-compiled OpenSSH must be rebuilt outside this repository, or restart/host-key rotation ownership is external.
The output must list OpenSSH version evidence, distro advisory status, glibc
status, exposure path, LoginGraceTime and MaxStartups, restart owner,
auth-log review commands, host keys or secrets requiring rotation, and
validation commands. It must not restart production sshd, modify SSH client
config, silently change firewall rules, or bundle unrelated CVEs.
References
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-6387
- CVE record: https://www.cve.org/CVERecord?id=CVE-2024-6387
Related recipes
- Vulnerable Dependency Remediation — generic CVE workflow.
- Base Image & Container Layer Remediation — for OpenSSH inside container bases.