CVE-2024-6387 - OpenSSH RegreSSHion RCE

RegreSSHion Vulnerability (CVE-2024-6387) On July 1, 2024, a critical signal handler race condition vulnerability was disclosed in OpenSSH servers (sshd) on glibc-based Linux systems. This vulnerability, known as RegreSSHion and tracked as CVE-2024-6387, can result in unauthenticated remote code execution (RCE) with root privileges. This vulnerability has been rated High severity (CVSS 8.1). #### Impacted Versions The vulnerability impacts the following OpenSSH server versions: - OpenSSH versions between 8.5p1 and 9.8p1 - OpenSSH versions earlier than 4.4p1, if they have not been backport-patched against CVE-2006-5051 or patched against CVE-2008-4109 #### Unaffected Versions The SSH features in PAN-OS are not affected by CVE-2024-6387. ### The playbook includes the following tasks: **Collect, Extract and Enrich Indicators** * Collect known indicators from Unit42 blog **Threat Hunting** * Searches vulnerable endpoints using Prisma Cloud and Cortex XDR - XQL queries **Mitigations:** * OpenSSH official CVE-2024-6387 patch * Unit42 recommended mitigations **This playbook should be triggered manually or can be configured as a job.** Please create a new incident and choose the CVE-2024-6387 - OpenSSH RegreSSHion RCE playbook and Rapid Breach Response incident type. Reference: [Threat Brief: CVE-2024-6387 OpenSSH RegreSSHion Vulnerability ](https://unit42.paloaltonetworks.com/threat-brief-cve-2024-6387-openssh/). Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

CVE-2024-6387 - OpenSSH RegreSSHion RCE · 23 tasks · 4 inputs · 0 outputs

Inputs

  • PlaybookDescription — The playbook description to populate the layout with.
  • RunXQLHuntingQueries — Whether to execute the XQL query.
  • ShouldSendMail — Whether to notify the SOC by email.
  • SOCEmailAddress — The email address to notify

Commands used

createNewIndicator enrichIndicators extractIndicators prisma-cloud-compute-ci-scan-results-list send-mail xdr-xql-generic-query

Flowchart

yes no yes yes yes Start Start Collect Indicators from Unit42 - ParseHTMLIndicators Collect Indicators from U... ParseHTMLIndicators Extract and Tag Indicators Extract and Tag Indicators Create indicators in TIM - createNewIndicator Create indicators in TIM createNewIndicator Extract Indicators - extractIndicators Extract Indicators extractIndicators Collect Indicators Collect Indicators Handle Rapid Breach Response Layout Handle Rapid Breach Respo... Rapid Breach Response - Set Incident Info - Rapid Breach Response - Set Incident Info Rapid Breach Response - S... Rapid Breach Response - Set I... Threat Hunting Threat Hunting Unit42 Managed Threat Hunting Queries Unit42 Managed Threat Hun... Prisma Cloud Prisma Cloud Should run XQL hunting queries? Should run XQL hunting qu... Check if Cortex XDR - XQL Query Engine is Enabled - IsIntegrationAvailable Check if Cortex XDR - XQL... IsIntegrationAvailable Hunt to identify hosts vulnerable to CVE-2024-6387 - xdr-xql-generic-query Hunt to identify hosts vu... xdr-xql-generic-query Were vulnerable endpoints found? Were vulnerable endpoints... Search for vulnerable resources - prisma-cloud-compute-ci-scan-results-list Search for vulnerable res... prisma-cloud-compute-ci-scan-... Mitigation Mitigation Hold for an update regarding the endpoint mitigation Hold for an update regard... Done Done Recommended Mitigations - PrettyPrint Recommended Mitigations PrettyPrint Notify the SOC about the vulnerable endpoints - send-mail Notify the SOC about the ... send-mail Should notify the SOC by email? Should notify the SOC by ... Enrich Indicators - enrichIndicators Enrich Indicators enrichIndicators