This advisory is for organizations that use Openssh within their environment as a network utility. If your organization does not use this suite, this notification may be discarded.
UPDATE:
It was noted that Windows runs a version of SSH on desktops and servers.
We haven’t seen anything from Microsoft addressing this vulnerability as of yet. Windows versions can be checked from a command line prompt using “ssh -V”.
This vulnerability works because sshd is listening for incoming requests. Most desktop versions of Windows should not be exposed to the internet in this way. Server versions that are accepting incoming requests may be in scope of this vulnerability and may require mitigating controls.
From our research, it appears that Microsoft updates SSH through regular Windows updates and as such is several versions behind (the instance we looked at with all applied updates is version OpenSSH_for_Windows_8.1p1.) That should be considered prior to exposing SSH on Windows Server to the internet.
OpenSSH can be managed using a GPO as noted at https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh-group-policy
Summary
Qualys discovered a vulnerability present in OpenSSH’s server (sshd) which allows an attacker to attempt to achieve unauthenticated remote code execution (RCE) as root by winning a race condition in sshd. "Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with [address space layout randomization]," OpenSSH said in an advisory. "Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept." Exploitation on 64-bit systems is believed to be possible but has not been demonstrated at this time. It's likely that these attacks will be improved upon.
OpenSSH continues in the advisory: “Exploitation on non-glibc systems is conceivable but has not been examined. Systems that lack ASLR or users of downstream Linux distributions that have modified OpenSSH to disable per-connection ASLR re-randomisation (yes - this is a thing, no - we don't understand why) may potentially have an easier path to exploitation.”
CVE-2024-6387: CVSSv3.1: 8.1
Openssh: Possible Remote Code Execution Due To A Race Condition In Signal Handling
Affected Platforms
Mitigations
Additional Resources
https://www.openssh.com/releasenotes.html
https://www.cve.org/CVERecord?id=CVE-2024-6387
https://thehackernews.com/2024/07/new-openssh-vulnerability-could-lead-to.html