CVE-2024-6387 — regreSSHion

A race condition in OpenSSH’s sshd signal handler — a regression of an older 2006-era issue (CVE-2006-5051) — re-enabled remote RCE as root on glibc Linux servers running affected sshd. The bug is reached through the LoginGraceTime SIGALRM handler; the exploit is hard but demonstrably real (Qualys published proof of concept).

Affected versions

  • OpenSSH versions earlier than 4.4p1 — vulnerable to the original 2006 issue (and to this one if other patches weren’t backported).
  • OpenSSH 4.4p1 through 8.5p1 — not vulnerable (the 2006 fix held).
  • OpenSSH 8.5p1 through 9.7p1 — vulnerable (regression reintroduced).
  • OpenSSH 9.8p1+ — patched.

OpenBSD’s native OpenSSH is not affected (the bug is glibc-specific). Linux distros backport patches at varying speeds; the right reference is your distro’s advisory.

Indicator-of-exposure

Detection:

ssh -V    # Reports the OpenSSH version
sshd -V 2>&1 | head -1   # Sometimes more accurate

# Also verify against the distro advisory
apt-cache policy openssh-server
dnf info openssh-server

Sufficient exposure conditions:

  • glibc Linux (i.e., not OpenBSD, FreeBSD, musl Alpine).
  • OpenSSH version in the 8.5p1–9.7p1 window.
  • sshd reachable by an attacker.
  • Default LoginGraceTime (120 seconds). The mitigation setting is LoginGraceTime 0, which closes the race window by removing the alarm.

A network-isolated sshd (only reachable from a bastion or internal-only) is a smaller exposure surface but still vulnerable to anyone who reaches the bastion.

Remediation strategy

  • Upgrade OpenSSH to 9.8p1+ via the distro’s package manager.
  • Mitigate with LoginGraceTime 0 in /etc/ssh/sshd_config until the upgrade lands. This removes the alarm-based race entirely; the cost is that a client hanging the auth handshake holds an sshd slot forever (a MaxStartups setting becomes load-bearing).
  • Restart sshd after either action.
  • Audit auth logs for unexplained sshd[<pid>]: fatal: Timeout before authentication messages — the published exploit signatures the failure pattern.
  • Treat as compromised any host whose sshd was the affected version and network-reachable to untrusted networks for an extended window. Rotate host keys; rotate any secret accessible from sshd’s process memory.

When to use it

Use this recipe when a Linux host, container image, appliance, VM base image, or infrastructure repository may run affected OpenSSH sshd on glibc Linux. It is most important for public or bastion-reachable servers, management containers, CI images, golden images, or fleets where sshd exposure and restart ownership are split across teams.

Use it to distinguish package remediation from incident response: upgrade or mitigate, identify the restart owner, classify exposure, and produce host-key rotation and log-review actions when the service was reachable. Do not use it to bundle unrelated SSH hardening or firewall redesign into the same change.

Inputs

  • Host inventories, image manifests, SBOMs, package locks, distro advisories, Terraform/Ansible/cloud-init/Packer config, container Dockerfiles, SSHD config, systemd units, and operational runbooks.
  • OpenSSH server version evidence from sshd -V, package managers, image scans, distro backport advisories, custom build metadata, and runtime inventory.
  • Platform and exposure evidence: glibc vs musl/BSD, listening interfaces, firewall/bastion controls, LoginGraceTime, MaxStartups, public internet reachability, auth logs, and exposure-window timing.
  • Operator-owned secrets and trust anchors reachable by sshd: host keys, host certificates, PAM/AuthorizedKeysCommand outputs, deploy credentials, CI credentials, and artifacts produced on the host.
  • Change-control constraints for package upgrades, config mitigation, reload or restart timing, session impact, auth-log retention, key rotation, and host rebuilds.

The prompt

You are remediating CVE-2024-6387 (regreSSHion) on this host
or in this system image. Output exactly one of:

- A PR / change request upgrading OpenSSH and (optionally)
  applying the `LoginGraceTime 0` mitigation, plus an IR
  checklist for the operator.
- A TRIAGE.md if the host has been running affected `sshd`
  on the public internet for an extended period.

This recipe is **not** auto-merge. The agent produces the PR;
the operator restarts `sshd` and decides on IR scope.

## Step 0 — Detect

1. Read OpenSSH server version: `sshd -V 2>&1 | head -1`.
2. Confirm the host is glibc Linux: `ldd --version | head -1`.
3. Read `/etc/ssh/sshd_config` for the current
   `LoginGraceTime` value.
4. Determine network exposure: is `sshd` listening on a
   public interface? Is it firewalled to a bastion?

## Step 1 — Classify

- **Not on glibc Linux** or **OpenSSH outside the affected
  window:** document and stop.
- **Affected, not network-reachable from untrusted nets:**
  upgrade + restart, no IR escalation.
- **Affected, network-reachable from the public internet for
  an extended window:** treat as potentially compromised.
  Write the IR checklist; do not auto-rotate keys.

## Step 2 — Upgrade

1. `apt upgrade openssh-server` /
   `dnf upgrade openssh-server` to the distro's patched
   version.
2. Verify the new version: `sshd -V`.
3. The PR body lists `systemctl restart sshd` as an
   operator action. The agent does not restart the service.

## Step 3 — Mitigate (interim)

If the upgrade cannot ship immediately, propose a config
change:

```
# In /etc/ssh/sshd_config
LoginGraceTime 0
MaxStartups 10:30:100
```

`LoginGraceTime 0` removes the alarm entirely. Tighten
`MaxStartups` to keep an attacker from holding open many
slots. Recommend a `systemctl reload sshd` after the change.

## Step 4 — IR checklist (compromised classification)

The TRIAGE.md must include:

- Rotate SSH host keys.
- Audit `auth.log` / `journalctl -u ssh` for
  `Timeout before authentication` lines and unusual login
  patterns during the exposure window.
- Rotate any secret that lived in `sshd`'s process memory
  during the window: pam credentials, host certificates,
  any `AuthorizedKeysCommand` script outputs.
- Audit any deploy / CI workflows that authenticated to this
  host during the window.
- Rebuild any artifact produced on the host while it was
  affected and reachable.

## Stop conditions

- The host is non-glibc Linux (musl, BSD) — not affected.
- The host's distro has no patched OpenSSH packaged yet.
  Apply the `LoginGraceTime 0` mitigation; triage with a
  note about the missing package.
- The host's exposure window is unclear or the auth log
  rotation has lost evidence.

## Scope

- Do not modify SSH client configuration.
- Do not modify firewall rules — mention them in the PR body
  as a reviewer-considered defence-in-depth.
- Do not bundle unrelated CVEs.
- Do not run `systemctl restart sshd`. Restarting `sshd` is
  the operator's call (severs in-flight sessions).

Verification — what the reviewer looks for

  • The package version after upgrade matches the distro’s patched version.
  • If the mitigation was applied: LoginGraceTime 0 is present and MaxStartups is sane.
  • The PR body’s IR scope matches the host’s exposure classification — the reviewer doesn’t accept “it was internal” without seeing how that was confirmed.
  • For compromised classification, confirm the IR actions were carried out before merge.

Watch for

  • Distro version strings. Some distros backport patches without bumping the upstream version string. The authoritative check is the distro advisory, not sshd -V.
  • Custom-compiled OpenSSH. Hosts running OpenSSH built from source do not get the distro patch. Treat as a separate remediation; rebuild from a clean tree.
  • MaxStartups interactions. Setting LoginGraceTime 0 without raising MaxStartups can become an availability bug — clients failing-to-authenticate hold slots forever. Tune both together.
  • Bastion-only exposure isn’t no exposure. A bastion that itself is reachable becomes the same target. The IR scope should follow the chain.
  • Containerised sshd. Some images run sshd for management. Image bumps follow the base-image workflow; this recipe applies to the package inside the container.

Output contract

Return one of:

  • A reviewer-ready PR/change request that upgrades the controlled OpenSSH package or image, optionally applies LoginGraceTime 0 with sane MaxStartups as an interim mitigation, identifies restart/reload actions, verifies the distro-patched status, and attaches an operator IR checklist.
  • TRIAGE.md when public or unclear exposure requires incident handling, no patched distro package is available, custom-compiled OpenSSH must be rebuilt outside this repository, or restart/host-key rotation ownership is external.

The output must list OpenSSH version evidence, distro advisory status, glibc status, exposure path, LoginGraceTime and MaxStartups, restart owner, auth-log review commands, host keys or secrets requiring rotation, and validation commands. It must not restart production sshd, modify SSH client config, silently change firewall rules, or bundle unrelated CVEs.

References