Qualys Threat Research Unit (TRU) has identified a severe remote unauthenticated code execution (RCE) vulnerability in OpenSSH's server (sshd) affecting glibc-based Linux systems, with a potential to compromise over 14 million instances globally.
The vulnerability, now tracked as CVE-2024-6387 and dubbed “regreSSHion,” allows unauthenticated, remote attackers to execute code as root on affected systems, posing a significant security risk.
The vulnerability arises from a regression of a previously patched issue (CVE-2006-5051), which was reintroduced in OpenSSH version 8.5p1, released in October 2020. This regression was due to the accidental removal of a critical component in a function, thereby reintroducing the flaw.
OpenSSH versions from 8.5p1 up to, but not including, 9.8p1, are vulnerable. OpenSSH versions from 4.4p1 to 8.5p1 and versions patched for CVE-2006-5051 and CVE-2008-4109, are not vulnerable. OpenBSD systems, which developed a secure mechanism preventing this vulnerability since 2001, are also not vulnerable.
Impact and exploitation
The regreSSHion vulnerability can be exploited to gain root access, enabling attackers to take full control of affected systems, deploy malware, manipulate data, and create backdoors for persistent access. Such an attack could facilitate lateral movement within networks, compromising other vulnerable systems and bypassing critical security mechanisms.
Exploiting this vulnerability involves complex remote race conditions requiring multiple attempts to succeed. Successful exploitation can lead to severe outcomes, including memory corruption and evasion of Address Space Layout Randomization (ASLR).
Organizations should take immediate action to mitigate the risk posed by this vulnerability, including:
- Apply available patches for OpenSSH promptly and ensure regular updates.
- Restrict SSH access using network-based controls.
- Implement network segmentation to limit unauthorized access and deploy intrusion detection systems to monitor suspicious activities.
OpenSSH (Open Secure Shell) is widely adopted across Unix-like systems, including macOS and Linux, supporting various encryption technologies and serving as a critical tool for enterprise communication and infrastructure security.
Qualys's analysis reveals that this vulnerability affects approximately 700,000 external internet-facing instances, accounting for 31% of all internet-facing OpenSSH instances in their global customer base. Notably, 0.14% of these instances are running end-of-life or unsupported versions of OpenSSH, heightening the risk. Shodan and Censys engine scans on internet-exposed servers take the figure of potentially vulnerable servers up to a staggering 14 million.
Those unable to upgrade to version 9.8p1 immediately are recommended to either take their servers off of the internet, or set the ‘LoginGraceTime' to zero in the config file, though this might make the servers susceptible to DoS attempts.
Leave a Reply