Share
## https://sploitus.com/exploit?id=0FC4BE81-312B-51F4-9D9B-66D8B5C093CD
## Document Title - Mitigation Guide for CVE-2024-6387 in OpenSSH

### Introduction
This document outlines the steps for mitigating CVE-2024-6387, a security vulnerability affecting OpenSSH versions from 8.5p1 to 9.8p1. The vulnerability can be mitigated in two ways:
1. Adjusting the `LoginGraceTime` setting in the SSH configuration to reduce the window of opportunity for an attack.
2. Upgrading to a version of OpenSSH that is patched against CVE-2024-6387 (if such a version is available and compatible with your systems).

### Mitigation Option 1 - Configuring `LoginGraceTime`

The `LoginGraceTime` parameter specifies the time limit for SSH clients to authenticate successfully. Setting this parameter to 0 can effectively reduce the vulnerability window by requiring immediate authentication upon connection.

#### Steps to Adjust `LoginGraceTime`

1. **Open the SSH Configuration File**
   As the root user, open the `/etc/ssh/sshd_config` file using a text editor. For example:
   ```bash
   vim /etc/ssh/sshd_config
   ```

2. **Modify the `LoginGraceTime` Parameter**
   Locate the `LoginGraceTime` parameter. If it exists, modify it to:
   ```plaintext
   LoginGraceTime 0
   ```
   If the parameter does not exist, add it to the file with the same setting.

3. **Save and Close the File**
   After making the changes, save the file and exit the text editor.

4. **Restart the SSH Service**
   Apply the changes by restarting the SSH daemon:
   ```bash
   systemctl restart sshd.service
   ```

5. **Verify the Configuration (Optional)**
   Ensure that the configuration has been applied correctly:
   ```bash
   sshd -T | grep logingracetime
   ```
   This command should output `logingracetime 0`, confirming that the setting is applied.

### Mitigation Option 2 - Upgrading OpenSSH

If an upgrade path is available that patches CVE-2024-6387, it is recommended to update OpenSSH to this version. Follow these general steps to upgrade OpenSSH:

1. **Check Current Version**
   Verify the current version of OpenSSH installed on your system:
   ```bash
   ssh -V
   ```

2. **Search for Available Versions**
   Check if a patched version is available in your distribution's repository:
   ```bash
   apt list -a openssh-server
   ```

3. **Upgrade OpenSSH**
   If a secure version is available, upgrade using the package manager:
   ```bash
   sudo apt update
   sudo apt upgrade openssh-server
   ```

4. **Restart the SSH Service**
   Restart the SSH daemon to apply the upgrade:
   ```bash
   systemctl restart sshd.service
   ```

5. **Verify the Upgrade**
   Check the version again to ensure the upgrade was successful:
   ```bash
   ssh -V
   ```
---
[Proof of Concept for CVE-2024-6387](https://github.com/acrono/cve-2024-6387-poc/)