SFTP Gateway Support

3.0

CVE-2024-6387 regreSSHion

Overview

On July 1, 2024, CVE-2024-6387 was released. OpenSSH is vulnerable to unauthenticated RCE (Remote Code Execution). This is a regression of a previous CVE.

This article walks you through some remediation steps for SFTP Gateway version 3 servers.

(Last updated 7/2/2024)

Manual Remediation

The first thing you want to do is to manually remediate the CVE vulnerability.

SSH into the server and run the following commands:

sudo su
cd /etc/ssh/
cp -a sshd_config sshd_config.orig

These are preparation steps to elevate your privileges and backup the sshd_config file prior to making any changes.

Next, append the following line to the sshd_config file:

LoginGraceTime 0

To apply your changes, restart the OpenSSH service:

systemctl restart sshd

Setting the LoginGraceTime to 0 makes your server safe from this vulnerability. Here are additional details from cve.org:

A signal handler race condition was found in OpenSSH's server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog().

Other Mitigation Steps

Run OS Updates

CVE-2024-6387 affects OpenSSH version 8.5p1 up until (but not including) 9.8p1.

You can check the current version of OpenSSH using this command:

sshd -V

If your version of OpenSSH falls within the vulnerable range, you should run OS updates.

Note: Your version of OpenSSH will likely not be updated. However, if there are any patches available on your Linux repositories, you want to make sure they get applied.

Restrict Network Ingress Rules

On SFTP Gateway servers, the OpenSSH service is on port 2222. This is because the custom SFTP Gateway Java application is listening on port 22 (and Linux only allows one service per port).

Take a moment to verify that only an allowlist of sysadmin IP addresses are allowed to access port 2222. Pay close attention and make sure there are no rules allowing 0.0.0.0/0, which is the entire internet.

Note: If you have a rule for 0.0.0.0/0 on port 22, this is acceptable. This is because the SFTP Gateway Java application listens on 22 and only allows the SFTP protocol (i.e. it denies SSH traffic).

PreviousNext