CVE-2024-6387 — regreSSHion

A race condition in OpenSSH’s sshd signal handler — a regression of an older 2006-era issue (CVE-2006-5051) — re-enabled remote RCE as root on glibc Linux servers running affected sshd. The bug is reached through the LoginGraceTime SIGALRM handler; the exploit is hard but demonstrably real (Qualys published proof of concept).

Affected versions

• OpenSSH versions earlier than 4.4p1 — vulnerable to the original 2006 issue (and to this one if other patches weren’t backported).
• OpenSSH 4.4p1 through 8.5p1 — not vulnerable (the 2006 fix held).
• OpenSSH 8.5p1 through 9.7p1 — vulnerable (regression reintroduced).
• OpenSSH 9.8p1+ — patched.

OpenBSD’s native OpenSSH is not affected (the bug is glibc-specific). Linux distros backport patches at varying speeds; the right reference is your distro’s advisory.

Indicator-of-exposure

Detection:

ssh -V    # Reports the OpenSSH version
sshd -V 2>&1 | head -1   # Sometimes more accurate

# Also verify against the distro advisory
apt-cache policy openssh-server
dnf info openssh-server

Sufficient exposure conditions:

• glibc Linux (i.e., not OpenBSD, FreeBSD, musl Alpine).
• OpenSSH version in the 8.5p1–9.7p1 window.
• sshd reachable by an attacker.
• Default LoginGraceTime (120 seconds). The mitigation setting is LoginGraceTime 0, which closes the race window by removing the alarm.

A network-isolated sshd (only reachable from a bastion or internal-only) is a smaller exposure surface but still vulnerable to anyone who reaches the bastion.

Remediation strategy

• Upgrade OpenSSH to 9.8p1+ via the distro’s package manager.
• Mitigate with LoginGraceTime 0 in /etc/ssh/sshd_config until the upgrade lands. This removes the alarm-based race entirely; the cost is that a client hanging the auth handshake holds an sshd slot forever (a MaxStartups setting becomes load-bearing).
• Restart sshd after either action.
• Audit auth logs for unexplained sshd[<pid>]: fatal: Timeout before authentication messages — the published exploit signatures the failure pattern.
• Treat as compromised any host whose sshd was the affected version and network-reachable to untrusted networks for an extended window. Rotate host keys; rotate any secret accessible from sshd’s process memory.

The prompt

You are remediating CVE-2024-6387 (regreSSHion) on this host
or in this system image. Output exactly one of:

- A PR / change request upgrading OpenSSH and (optionally)
  applying the `LoginGraceTime 0` mitigation, plus an IR
  checklist for the operator.
- A TRIAGE.md if the host has been running affected `sshd`
  on the public internet for an extended period.

This recipe is **not** auto-merge. The agent produces the PR;
the operator restarts `sshd` and decides on IR scope.

## Step 0 — Detect

1. Read OpenSSH server version: `sshd -V 2>&1 | head -1`.
2. Confirm the host is glibc Linux: `ldd --version | head -1`.
3. Read `/etc/ssh/sshd_config` for the current
   `LoginGraceTime` value.
4. Determine network exposure: is `sshd` listening on a
   public interface? Is it firewalled to a bastion?

## Step 1 — Classify

- **Not on glibc Linux** or **OpenSSH outside the affected
  window:** document and stop.
- **Affected, not network-reachable from untrusted nets:**
  upgrade + restart, no IR escalation.
- **Affected, network-reachable from the public internet for
  an extended window:** treat as potentially compromised.
  Write the IR checklist; do not auto-rotate keys.

## Step 2 — Upgrade

1. `apt upgrade openssh-server` /
   `dnf upgrade openssh-server` to the distro's patched
   version.
2. Verify the new version: `sshd -V`.
3. The PR body lists `systemctl restart sshd` as an
   operator action. The agent does not restart the service.

## Step 3 — Mitigate (interim)

If the upgrade cannot ship immediately, propose a config
change:

```
# In /etc/ssh/sshd_config
LoginGraceTime 0
MaxStartups 10:30:100
```

`LoginGraceTime 0` removes the alarm entirely. Tighten
`MaxStartups` to keep an attacker from holding open many
slots. Recommend a `systemctl reload sshd` after the change.

## Step 4 — IR checklist (compromised classification)

The TRIAGE.md must include:

- Rotate SSH host keys.
- Audit `auth.log` / `journalctl -u ssh` for
  `Timeout before authentication` lines and unusual login
  patterns during the exposure window.
- Rotate any secret that lived in `sshd`'s process memory
  during the window: pam credentials, host certificates,
  any `AuthorizedKeysCommand` script outputs.
- Audit any deploy / CI workflows that authenticated to this
  host during the window.
- Rebuild any artifact produced on the host while it was
  affected and reachable.

## Stop conditions

- The host is non-glibc Linux (musl, BSD) — not affected.
- The host's distro has no patched OpenSSH packaged yet.
  Apply the `LoginGraceTime 0` mitigation; triage with a
  note about the missing package.
- The host's exposure window is unclear or the auth log
  rotation has lost evidence.

## Scope

- Do not modify SSH client configuration.
- Do not modify firewall rules — mention them in the PR body
  as a reviewer-considered defence-in-depth.
- Do not bundle unrelated CVEs.
- Do not run `systemctl restart sshd`. Restarting `sshd` is
  the operator's call (severs in-flight sessions).

Verification — what the reviewer looks for

• The package version after upgrade matches the distro’s patched version.
• If the mitigation was applied: LoginGraceTime 0 is present and MaxStartups is sane.
• The PR body’s IR scope matches the host’s exposure classification — the reviewer doesn’t accept “it was internal” without seeing how that was confirmed.
• For compromised classification, confirm the IR actions were carried out before merge.

Watch for

• Distro version strings. Some distros backport patches without bumping the upstream version string. The authoritative check is the distro advisory, not sshd -V.
• Custom-compiled OpenSSH. Hosts running OpenSSH built from source do not get the distro patch. Treat as a separate remediation; rebuild from a clean tree.
• MaxStartups interactions. Setting LoginGraceTime 0 without raising MaxStartups can become an availability bug — clients failing-to-authenticate hold slots forever. Tune both together.
• Bastion-only exposure isn’t no exposure. A bastion that itself is reachable becomes the same target. The IR scope should follow the chain.
• Containerised sshd. Some images run sshd for management. Image bumps follow the base-image workflow; this recipe applies to the package inside the container.

Related

• Vulnerable Dependency Remediation — generic CVE workflow.
• Base Image & Container Layer Remediation — for OpenSSH inside container bases.