Openssh RCE vulnerability – Patch Now!

As Hackernews has in its posts:

New OpenSSH Vulnerability Could Lead to RCE as Root on Linux Systems

RCE = Remote Code Execution , i.e. the hacker does not need an account on the system to get on the system.

This happens to be an old vulnerability (as per AI response):

The OpenSSH remote code execution vulnerability, also known as CVE-2016-0777, is a security flaw discovered in January 2016. This vulnerability affects OpenSSH versions 5.4 to 7.1 and allows an attacker to execute arbitrary code on a target system by manipulating the SSH client to leak sensitive information from the system’s memory. This can lead to unauthorized access, data theft, or system compromise. To mitigate this vulnerability, users should update their OpenSSH installations to version 7.1p2 or later.

But today’s vulnerability has to do with a “reintroduction” of this same vulnerability in new codebases:

(as per hackernews article) The vulnerability, codenamed regreSSHion, has been assigned the CVE identifier CVE-2024-6387. It resides in the OpenSSH server component, also known as sshd, which is designed to listen for connections from any of the client applications.


The cybersecurity firm said it identified no less than 14 million potentially vulnerable OpenSSH server instances exposed to the internet, adding it’s a regression of an already patched 18-year-old flaw tracked as CVE-2006-5051, with the problem reinstated in October 2020 as part of OpenSSH version 8.5p1.  )

So regression of the old OpenSSH flaw means someone did not check the past issues, and unknowingly created this problem?  Anyway it is here, so update your sshd software on all internet facing systems.

As per

new version released by OpenSSH  (and from their release notes:

OpenSSH 9.8 was released on 2024-07-01. It is available from the
mirrors listed at
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:


This release contains fixes for two security problems, one critical
and one minor.

1) Race condition in sshd(8)

A critical vulnerability in sshd(8) was present in Portable OpenSSH
versions between 8.5p1 and 9.7p1 (inclusive) that may allow arbitrary
code execution with root privileges.

Successful exploitation has been demonstrated on 32-bit Linux/glibc
systems with ASLR. Under lab conditions, the attack requires on
average 6-8 hours of continuous connections up to the maximum the
server will accept. Exploitation on 64-bit systems is believed to be
possible but has not been demonstrated at this time. It's likely that
these attacks will be improved upon.

Exploitation on non-glibc systems is conceivable but has not been
examined. Systems that lack ASLR or users of downstream Linux
distributions that have modified OpenSSH to disable per-connection
ASLR re-randomisation (yes - this is a thing, no - we don't
understand why) may potentially have an easier path to exploitation.
OpenBSD is not vulnerable.

We thank the Qualys Security Advisory Team for discovering, reporting
and demonstrating exploitability of this problem, and for providing
detailed feedback on additional mitigation measures.

If you need more information as to why one should patch/upgrade systems - contact me

Also have my book "Too Late You're Hacked" that explains it in detail.