Addressing CVE-2024-6387 Vulnerability in OpenSSH

In today’s digital world, security is paramount. Recently, a critical vulnerability, CVE-2024-6387, was found in OpenSSH. This post offers a straightforward script to help you identify and fix this issue, ensuring your system remains secure.

CVE-2024-6387 is a serious flaw in OpenSSH that can allow remote attackers to execute code on your system. Addressing this vulnerability promptly is crucial to safeguard your data.

This script checks your OpenSSH version, determines if it’s vulnerable, updates OpenSSH if needed, and applies a temporary mitigation if the update fails.

#!/bin/bash
# Checks for and remediates the CVE-2024-6387 vulnerability in OpenSSH.
# Attempt to update OpenSSH to the latest version, if the update fails, then apply a temporary mitigation
# by setting LoginGraceTime to 0 in the sshd_config file.
# Note: This temporary mitigation may expose the system to DoS attacks.
# Based on information provided by https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
# Script provided by DropDeadDick.com

# Get OpenSSH version
get_ssh_version() {
    sshd -V 2>&1 | grep -oP '(?<=OpenSSH_)\d+\.\d+p\d+'
}

# Check if the system is vulnerable
is_vulnerable() {
    version=$(get_ssh_version)
    if [[ "$version" < "4.4p1" || ( "$version" > "8.4p1" && "$version" < "8.7p1" && "$version" != "8.7p1-38.el9.alma.2" ) ]]; then
        return 0 # Vulnerable
    else
        return 1 # Not vulnerable
    fi
}

# Remediate the vulnerability
remediate() {
    echo -e "\e[33mUpdating OpenSSH to the latest version...\e[0m"
    if [[ -f /etc/debian_version ]]; then
        apt-get update
        apt-get install -y openssh-server
    elif [[ -f /etc/redhat-release ]]; then
        yum update -y openssh-server
    else
        echo "Unsupported OS"
        exit 1
    fi

    echo -e "\nRestarting sshd service...\n"
    systemctl restart sshd

    is_vulnerable  # Check if still vulnerable after update
    return $?  # Return the result of the vulnerability check
}

# Apply temporary mitigation
mitigate() {
    echo -e "\e[33mApplying temporary mitigation by setting LoginGraceTime to 0...\e[0m"
    sed -i 's/^#\?LoginGraceTime.*/LoginGraceTime 0/' /etc/ssh/sshd_config
    echo -e "\nRestarting sshd service...\n"
    systemctl restart sshd
    echo -e "\e[32mTemporary mitigation applied. The system is now safe from remote code execution but may be vulnerable to DoS attacks.\e[0m"
}

# Main
if is_vulnerable; then
    echo -e "\e[31mSystem is vulnerable to CVE-2024-6387.\e[0m"
    remediate
    if is_vulnerable; then
        echo -e "\e[33mApplying temporary mitigation since the update was not successful.\e[0m"
        mitigate
        if is_vulnerable; then
            echo -e "\e[31mSystem is still vulnerable but temporarily mitigated.\e[0m"
        else
            echo -e "\e[32mSystem is no longer vulnerable but temporarily mitigated.\e[0m"
        fi
    else
        echo -e "\e[32mUpdate successful. The system is no longer vulnerable.\e[0m"
    fi
else
    echo -e "\e[32mSystem is not vulnerable to CVE-2024-6387.\e[0m"
fi

By using this script, you can protect your system from the CVE-2024-6387 vulnerability. Regular updates and proactive measures are essential for maintaining system security. Stay safe!