Please confirm which versions (if any) are vulnerable to CVE-2024-6387

[camerondm9]

Request for information

CVE-2024-6387 (stylized as regreSSHion) is a Remote Unauthenticated Code Execution vulnerability in sshd in glibc-based Linux systems, discovered by Qualys.

What I want to know: Is OpenSSH for Windows vulnerable?

I don't see any changes that line up with Qualys's disclosure timeline, and the version number that I get when I do a fresh install via Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 is 8.6.0.1 (which falls within the vulnerable range, according to what I'm seeing).

[alex180500]

Is there any update? why is ssh on windows so behind...

[ebenhoehdaniel]

We have Windows Server 2019 and 2022 and need the information if the OpenSSH-Feature is vulnerable, too.
All very old SSH-Server - Microsoft, have you forgotten your Secure Future Initiative (SFI):
https://www.microsoft.com/en-us/microsoft-cloud/resources/built-in-security

https://www.microsoft.com/en-us/security/blog/2024/05/03/security-above-all-else-expanding-microsofts-secure-future-initiative/

[GossiTheDog]

Confirming the latest Windows 11 release is vulnerable version:

[foxt]

https://www.qualys.com/regresshion-cve-2024-6387/

discovered this unauthenticated Remote Code Execution (RCE) vulnerability in OpenSSH’s server (sshd) in glibc-based Linux systems.

Windows is neither Linux or glibc-based so I assume it's not relevant?

[FrancoisSSC]

Does this vulnerability affect macOS or Windows?
While it is likely that the vulnerability exists in both macOS and Windows, its exploitability on these platforms remains uncertain. Further analysis is required to determine the specific impact.

https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server

[GossiTheDog]

https://www.qualys.com/regresshion-cve-2024-6387/

discovered this unauthenticated Remote Code Execution (RCE) vulnerability in OpenSSH’s server (sshd) in glibc-based Linux systems.

Windows is neither Linux or glibc-based so I assume it's not relevant?

FreeBSD is neither Linux or glibc based, but they patched it.

[NoMoreFood]

Based on my topical analysis and general knowledge of how signal handling is done in this fork, I do not believe this vulnerability is relevant to this fork.

[Gautam-deepak]

Is there any update on this ? Please confirm..

[KingWAR10CK]

Any updates?

[JeanPluzo]

Thanks for the different insights everyone!
Still, it would be nice to hear from MS themselves. "Assuming" is not the right way to go in the IT industry.

[DomDupuis]

Any updates Microsoft?

[shertaeg]

@tgauth can you give any insights on this? Is Win32_OpenSSH vulnerable or not?
I understand all community-answers, but as I guess thousands of others am waiting for some sort of official statement.

come on, Microsoft, you can do better than that. It's been very frustraing in the last months.

[FrancoisSSC]

I sent an email to secure@microsoft.com earlier today, and this is their official statement:

PowerShell/Announcements#63
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-6387

You can all sleep well now! :)

[tgauth]

Apologies for the delay in responding - please see the announcement mentioned above for guidance. PowerShell/Announcements#63