OpenSSH 8.7 public — vulnerable to regreSSHion (CVE-2024-6387)

• Severity: High (if host is glibc-based Linux — regreSSHion is unauth RCE); otherwise Medium
• CVSS 3.1: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H → 8.1 (CVE-2024-6387 "regreSSHion")
• CWE: CWE-362 (Race Condition), CWE-1104
• Asset: corezoid-ma.dev.corezoid.com → 84.8.218.23:22
• Discovered: 2026-04-26
• Status: Open — needs OS fingerprinting + patch level verification

Summary

corezoid-ma.dev.corezoid.com exposes SSH on port 22 to the public internet with banner SSH-2.0-OpenSSH_8.7. OpenSSH 8.7 was released 2021-08-20 — nearly 4.5 years ago. It is vulnerable to:

• CVE-2024-6387 (regreSSHion) — unauthenticated remote code execution as root via signal handler race condition. Affects OpenSSH 4.4–4.9p1 and 8.5p1 through 9.7p1 on glibc-based Linux. Exploitation is slow (~6-8 hours) but pre-auth RCE.
• CVE-2023-38408 — ssh-agent forwarding RCE (requires attacker-controlled forwarded agent)
• CVE-2023-48795 (Terrapin) — protocol-level downgrade affecting SSH integrity
• CVE-2023-25136 — double-free in OpenSSH 9.1 (8.7 not directly affected, but indicates patch cadence)

Additionally: exposing SSH on a dev host to the whole internet is a hardening anti-pattern regardless of version. Dev hosts often have weak creds, shared keys, or outdated sudoers configs.

Reproduction

$ nc -w 5 corezoid-ma.dev.corezoid.com 22
SSH-2.0-OpenSSH_8.7

Additional recon (pending, non-destructive)

• Confirm host OS (Linux distribution — likely RHEL/CentOS/Rocky based on 8.7 being the CentOS Stream 9 package version). nmap -sV -p 22 --script ssh-auth-methods,ssh2-enum-algos for hardening details.
• ssh-audit for cipher / KEX / MAC assessment (Terrapin, weak algorithms).

PoC

Not executed. regreSSHion is:

• Expensive (6-8 hours per attempt)
• Stateful (crashes many sshd processes in the attempt)
• Destabilizing (even if unsuccessful, the host's sshd logs fill with forkbomb-shaped crashes)

Running the PoC would violate the non-destructive RoE. Version disclosure is sufficient evidence.

Impact

If the host is glibc Linux and unpatched:

• Unauthenticated RCE as root on a dev box
• Dev boxes typically have:
  • Production database dumps (for testing migrations)
  • SSH keys to production (for CI deploys)
  • Developer AWS credentials
  • Source code with uncommitted secrets
• Lateral movement into developer workstations (via ssh pubkey forwarding, stashed AWS profiles)
• Likely pivot point into production via leaked credentials

Remediation

Priority 1 — now:

1. Block SSH from the public internet. Move sshd to listen only on the VPC / VPN CIDR. SSH on a public IP is never appropriate for a dev host.
2. Upgrade OpenSSH to ≥ 9.8p1 (which fixed regreSSHion).
3. Put the host behind the corporate VPN (it's already running at vpn.corezoid.com) or AWS SSM Session Manager.

Priority 2 — hardening:

1. Audit /etc/ssh/sshd_config: PasswordAuthentication no, PermitRootLogin no, key-only auth, limit users via AllowUsers.
2. Install fail2ban or equivalent.
3. Rotate any SSH authorized_keys that allowed access to this host.
4. Audit all other *.dev.corezoid.com and *.pre.corezoid.com for similar SSH exposure.

References

• CVE-2024-6387 (regreSSHion) — Qualys advisory
• CVE-2023-48795 (Terrapin)
• CWE-362, CWE-1104