Overview
regreSSHion (CVE-2024-6387), discovered by Qualys in July 2024, is a signal handler race condition in sshd enabling unauthenticated remote code execution as root. It is a regression of CVE-2006-5051, reintroduced in OpenSSH 8.5p1.
Affected Versions
- OpenSSH 8.5p1 – 9.7p1 — VULNERABLE
- OpenSSH 9.8p1+ — PATCHED
How It Works
When a client fails to authenticate within LoginGraceTime (default: 120s), sshd calls SIGALRM. The handler invokes syslog(), which is not async-signal-safe. On glibc systems this creates a heap corruption race condition that can redirect execution.
# Check your version
ssh -V
# Temporary mitigation in /etc/ssh/sshd_config
LoginGraceTime 0
systemctl reload sshd
Patch and Hardening
- Upgrade to OpenSSH 9.8p1+ — the only complete fix
- Set
LoginGraceTime 0as immediate temporary mitigation - Deploy fail2ban or CrowdSec to rate-limit authentication attempts
- Restrict SSH to VPN or trusted IP ranges on public-facing servers