Tag Archives: regreSSHion

July Linux Patch Wednesday

July Linux Patch Wednesday. There are 705 vulnerabilities, of which 498 are in the Linux Kernel. There are no vulnerabilities with signs of exploitation in the wild yet, 11 have public exploits.

🔻 RCE – OpenSSH “regreSSHion” (CVE-2024-6387) is in the absolute top with many variations of exploits on GitHub. Mind the malicious fakes (❗️). I will also mention a similar vulnerability RCE – OpenSSH (CVE-2024-6409) with no exploits yet.
🔻 Public PoC links for DoS in Suricata (CVE-2024-38536) and QEMU (CVE-2024-3567).

According to BDU, public exploits exist for:

🔸 AuthBypass – RADIUS Protocol (CVE-2024-3596), it was also fixed in the July MSPT
🔸 Security Feature Bypass – Exim (CVE-2024-39929) – mime_filename blocking bypass, as well as in Nextcloud (CVE-2024-22403) – eternal OAuth codes
🔸 DoS – OpenTelemetry (CVE-2023-45142)
🔸 Memory Corruption – 7-Zip (CVE-2023-52168)

🗒 Vulristics report on July Linux Patch Wednesday

На русском

Attackers are distributing malware on social networks under the guise of the regreSSHion exploit (CVE-2024-6387)

Leave a reply

Attackers are distributing malware on social networks under the guise of the regreSSHion exploit (CVE-2024-6387). According to Kaspersky Lab experts, this is an attack on cybersecurity specialists. The attackers invite victims to examine an archive that supposedly contains a functional regreSSHion exploit, a list of IP addresses, and some payload.

🔻 The source code resembles a slightly edited version of a non-functional proof-of-concept exploit for this vulnerability that was already public.

🔻 One of the Python scripts simulates the exploitation of the vulnerability on IP addresses from the list. But in reality, it launches malware that achieves persistence in the system and downloads additional payload. The malware modifies /etc/cron.hourly and the operation of the ls command.

If you are examining someone else’s code, do so in a securely isolated environment and be aware that you may be attacked this way. 😉

На русском

OpenSSH “regreSSHion” RCE with root privileges (CVE-2024-6387)

Leave a reply

OpenSSH “regreSSHion” RCE with root privileges (CVE-2024-6387). The vulnerability was discovered by Qualys. An unauthenticated remote attacker can execute arbitrary code as root. It sounds creepy. 😱🙂

This vulnerability is a regression of the CVE-2006-5051. For it, by the way, there are no signs of exploitation in the wild or exploits.

🔻 The regression happened in October 2020, starting with OpenSSH version 8.5p1
🔻 “glibc-based Linux systems” in default configuration are vulnerable, OpenBSD is not vulnerable
🔻 There are 14 million potentially vulnerable hosts on the Internet
🔻 Qualys promise not to publish the exploit, but third-party researchers can write it based on the detailed write-up

Vulnerable versions:

❌ OpenSSH < 4.4p1
❌ 8.5p1 <= OpenSSH < 9.8p1 Invulnerable versions: ✅ 4.4p1 <= OpenSSH < 8.5p1
✅ OpenSSH >= 9.8p1

Upd. Attacking a 32-bit system with ASLR in laboratory conditions took 6-8 hours. Apparently the process is not so easy. 😉

На русском

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Tag Archives: regreSSHion

July Linux Patch Wednesday

Attackers are distributing malware on social networks under the guise of the regreSSHion exploit (CVE-2024-6387)

OpenSSH “regreSSHion” RCE with root privileges (CVE-2024-6387)