If you are running Proxmox 8, make sure you update the openssh-server package. This doesn’t affect version 7 as it’s based on Bullseye, not Bookworm.

From https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt

regreSSHion background

The Qualys Threat Research Unit (TRU) discovered this unauthenticated Remote Code Execution (RCE) vulnerability in OpenSSH’s server (sshd) in glibc-based Linux systems. This bug marks the first OpenSSH vulnerability in nearly two decades—an unauthenticated RCE that grants full root access. It affects the default configuration and does not require user interaction, posing a significant exploit risk.

In Qualys TRU’s analysis, we identified that this vulnerability is a regression of the previously patched vulnerability CVE-2006-5051, reported in 2006. A regression in this context means that a flaw, once fixed, has reappeared in a subsequent software release, typically due to changes or updates that inadvertently reintroduce the issue. This incident highlights the crucial role of thorough regression testing to prevent the reintroduction of known vulnerabilities into the environment. This regression was introduced in October 2020 (OpenSSH 8.5p1).

It has been confirmed that this vulnerability can be exploited on 32-bit systems with a brute-force attack lasting six or more hours. While theoretically possible on 64-bit systems, the attack time significantly increases.

This issue impacts not only Proxmox but also any system running OpenSSH, which is installed on nearly every Unix-like and Linux system.