CVE-2024-6387 — regreSSHion — OpenSSH signal-handler race
Race condition in sshd's SIGALRM handler that calls async-signal-unsafe functions, leaving the heap in an inconsistent state. With sufficient timing, an unauthenticated attacker can exploit this for remote code execution as root on glibc-based Linux. Disclosed by Qualys on 2024-07-01, patched in OpenSSH 9.8.
TL;DR
- Pre-auth RCE as root on glibc Linux. Patient (~6-8 hours) but feasible.
- Affected: OpenSSH 8.5p1 — 9.7p1. OpenBSD's libc isn't affected.
- Mitigation if you can't patch immediately:
LoginGraceTime 0in sshd_config (opens a DoS vector but blocks this CVE). - Fix: upgrade to OpenSSH 9.8 or your distro's backport (per-distro versions in the table below).
- Realistic homelab risk: high if you expose sshd to the internet on an unpatched stable distro.
At a glance
| CVE ID | CVE-2024-6387 |
|---|---|
| Severity | High (CVSS 8.1) |
| CVSS 3.1 score | 8.1 |
| CVSS vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-364 (Signal Handler Race Condition) |
| EPSS (probability of exploit, 30-day) | 0.9+ |
| CISA KEV listed | No (as of this writing — widely exploited in opportunistic scanning, but not yet added to CISA KEV) |
| Published | 2024-07-01 |
| Last updated (NVD) | 2024-07-15 |
Affected versions and fix paths
Per-distro fix versions for the packages most homelab fleets run. Match the installed version on your host against the vulnerable column; upgrade to the fixed column.
| Package / distro | Vulnerable | Fixed in |
|---|---|---|
| OpenSSH upstream | 8.5p1 — 9.7p1 | 9.8 (or distro backport) |
| Ubuntu 22.04 LTS | 1:8.9p1-3ubuntu0.10 and earlier | 1:8.9p1-3ubuntu0.10+esm2 |
| Ubuntu 24.04 LTS | 1:9.6p1-3ubuntu13 and earlier | 1:9.6p1-3ubuntu13.3 |
| Debian 12 (Bookworm) | 1:9.2p1-2+deb12u2 and earlier | 1:9.2p1-2+deb12u3 |
| Rocky Linux 9 / RHEL 9 | openssh-server-8.7p1-38.el9 and earlier | openssh-server-8.7p1-38.el9_4.1 |
| AlmaLinux 9 | openssh-server-8.7p1-38.el9 and earlier | openssh-server-8.7p1-38.el9_4.1 |
| OpenBSD | Not affected (different libc) | n/a |
| OpenSSH < 4.4p1 | Not affected (bug introduced in 8.5p1 regression) | n/a |
Quick scan check
Run this on each homelab host to determine the installed version. Compare against the table above.
ssh -V 2>&1
# Compare to per-distro fix table above
# Or check the package version directly:
dpkg -s openssh-server 2>/dev/null | grep ^Version
rpm -q openssh-serverAnything below the per-distro fix version is vulnerable. On Debian/Ubuntu, the version string includes the security update's +esm2 / +deb12u3 suffix when patched.
What Noxen does about this
Noxen flags every SSH-server host running an unpatched OpenSSH version in the affected range. Because the affected package is openssh-server on every major distro, the SSH-key inventory probe doubles as the regreSSHion check — you don't need a separate setup step.
The deep-dive
For the full narrative — disclosure timeline, exploit mechanics, defence-in-depth context, and homelab-shape risk assessment — read regreSSHion (CVE-2024-6387) — what every homelab operator should know on the Noxen blog.
Authoritative sources
- NVD entry for CVE-2024-6387
- cve.org record
- FIRST EPSS API for CVE-2024-6387
- CISA KEV catalogue (search for CVE-2024-6387)
See what Noxen does about CVEs like this → More on CVE management →