CVE-2024-6387 – OpenSSH regreSSHion RCE

Posted by: Zur Ulianitzky
July 02, 2024
Getting your Trinity Audio player ready...


On Monday, July 1st, researchers from OpenSSH released a security update for a newly identified vulnerability which is being tracked as CVE-2024-6387, and has a CVSS score of 8.1. It has been dubbed regreSSHion and allows unauthenticated Remote Code Execution.

Since OpenSSH is widely used, this vulnerability may affect a large number of devices. This vulnerability is named “regreSSHion” as it was patched before for CVE-2006-5051 but has reappeared on newer versions of OpenSSH.

Due to the nature of this vulnerability, it would take multiple login attempts and hours to exploit the vulnerability. This reduces the likelihood of exploitation.

What Does CVE-2024-6387 Refer to?

A vulnerability was found in the default configuration of the OpenSSH server (sshd), related to a race condition in its signal handling. Specifically, if an SSH client fails to authenticate within the LoginGraceTime period (typically 120 seconds), the SIGALRM (signal alarm) handler is triggered asynchronously. 

However, certain functions called by this handler, such as syslog(), are not safe for use in async-signal contexts. In Linux distributions based on glibc, syslog() can invoke the async-signal-unsafe functions malloc() and free() under specific circumstances. If interrupted during a call to either of these functions by code that also interacts with the heap, it could potentially result in heap corruption. This could then be exploited to manipulate the heap in such a way as to execute arbitrary code with the root privileges of the sshd process.

Impact on XM Cyber customers

We analyzed our own environment and have verified that we are not exposed to this vulnerability. 

Who is Impacted?

  • OpenSSH versions 8.5p1 – 9.7p1
  • OpenSSH versions prior to version 4.4p1

A POC exploiting this vulnerability exists for Linux distributions based on glibc. At the moment, exploiting this vulnerability on Windows and Mac operating systems is not certain.

What to do Next?

  1. Identify all devices running vulnerable versions of OpenSSH. This can be done manually or by using open source scanners.
  2. If openssh can be updated, patch asap.
  3. If updating openssh is not possible, as a possible mitigation, set LoginGraceTime to 0 in the config file. This exposes the device to denial of service but prevents the RCE. 

Identifying regreSSHion with XM Cyber

XM Cyber continuously monitors the entire infrastructure. The XM Cyber Research team is currently in the process of building a technique to enable customers to identify the regreSSHion vulnerability in their environments. We will update this advisory with new information as it becomes available.

Now you can test which external facing machines are vulnerable to this risk with XM Cyber’s External Attack Surface Management (EASM) capability. With continuous monitoring, automated scanning, and real-time data, XM Cyber EASM can detect and alert on vulnerable versions of OpenSSH. If detected, the platform provides step-by-step guidance on how to address this vulnerability.

In addition, your Customer Success Manager and the sales engineers proactively provide raw data of all your vulnerable machines. As needed, you can ask us for an updated list that includes regreSShion.

We will update this advisory with new information as it becomes available.


OpenSSH is widely used and thus, this vulnerability may potentially impact many organizations. Therefore, it’s very important to patch systems as fast as possible in order to be secured. At the same time, as discussed above, the likelihood of being impacted is low as long as an environment is protected adequately. The XM Cyber Research team will continue updating this blog advisory as more details emerge and a relevant patch is provided.

At XM Cyber, our goal is to keep you informed and vigilant. That’s why we compile Exposures Exposed, a LinkedIn newsletter with over 7K subscribers, delivering weekly updates and insights straight to your feed.


  1. Official Advisory 



Zur Ulianitzky

Find and fix the exposures that put your critical assets at risk with ultra-efficient remediation.

See what attackers see, so you can stop them from doing what attackers do.