They have named this vulnerability “regreSSHion”, since it represents the re-emergence of a bug that was previously patched in 2006 (CVE-2006-5051). It is described as “critical”.
The new vulnerability, assigned CVE-2024-6387, allows for unauthenticated remote code execution (RCE) with root privileges, posing a severe threat to affected systems.
An attacker could potentially gain complete control of the affected system, executing arbitrary code with root privileges. This could allow the installation of malware, the creation of backdoors and the exfiltration or manipulation of data. In addition, gaining root privileges could allow the intruder to disable or bypass critical security systems in order to maintain a permanent presence.
The vulnerability is “a signal handler race condition in OpenSSH’s server (sshd)”, according to Bharat Jogi, senior director at Qualys TRU, in a post on the company’s website. “This race condition affects sshd in its default configuration.”
Fortunately, however, being a race condition means is not easy to exploit, requiring multiple attempts for a successful attack. “This can cause memory corruption and necessitate overcoming Address Space Layout Randomization (ASLR).”Â
Nevertheless, the researchers say, given the risk posed by regreSHHion, organisations should take immediate measures to locate and secure vulnerable systems applying patches, reconfiguring sshd and segmenting networks, where possible.
Affected systems
OpenSSH is a suite of software tools that enable secure remote login using the SSH encryption protocol. It is included in all glibc-based Linux systems, which means virtually every major distribution except for Alpine Linux, which uses libc. BSD systems are not affected. Qualys says it does not yet know the extent to which macOS or Windows operating systems may be impacted.
Using the Censys and Shodan search engines, TRU researchers identified over 14 million potentially vulnerable OpenSSH server instances exposed to the internet. Among Qulays customers, there are around 700,000 such instances, representing 31% of the customer base.
OpenSSH versions earlier than 4.4p1 (released 2006) are vulnerable unless they’ve been patched for CVE-2006-5051 and CVE-2008-4109. Versions 8.5p1 (released March 2021) up to, but not including, 9.8p1 (released 1st July, 2024) are also affected, owing to the accidental removal of a critical component. The vulnerability has been fixed in version 9.8p1.
Vendors are expected to release their own patches shortly. In the meantime there are mitigating measures that organisations can take.
“If sshd can’t be updated or recompiled, set LoginGraceTime to 0 in the config file,” the researchers recommend. “This exposes sshd to a denial of service by using up all MaxStartups connections, but it prevents the remote code execution risk.”
Computing has contacted Qualys to ask whether any exploitations of regreSSHion have been observed in the wild.