The vulnerability named “regreSSHion” (CVE-2024-6387) affects the OpenSSH daemon (sshd) from versions 8.5p1 to 9.8p1. Discovered and reported by Qualys, this flaw allows unauthenticated remote code execution by exploiting an insecure asynchronous function called when LoginGraceTime expires.
Previous versions are not impacted.
Update the openssh-server package to fix the vulnerability:
Italiano
sudo apt update && sudo apt install openssh-serverUbuntu Pro users can use:
sudo pro fix CVE-2024-6387Set LoginGraceTime to 0, although this may expose to DoS attacks:
echo "LoginGraceTime 0" | sudo tee /etc/ssh/sshd_config.d/cve-2024-6387.conf
sudo systemctl reload ssh.serviceIt is crucial to update immediately to protect servers from potential attacks. For more details, visit the original articles:
These updates enhance overall security, highlighting the importance of proactive vulnerability management.
Otherwise you can upgrade moanually your ssh-server following this post: https://synaptica.info/2024/07/05/upgrade-openssh-server-on-your-ubuntu-distro-manually-tested-on-22-04-lts/