Researchers at the cybersecurity firm Qualys have discovered a critical vulnerability in OpenSSH’s server (sshd) in glibc-based Linux systems.
The vulnerability tracked as CVE-2024-6387 and named regreSSHion, is a signal handler race condition in OpenSSH’s server (sshd).
This race condition allows unauthenticated remote code execution (RCE) with full root privileges, posing a significant security risk.
Further, it affects sshd in its default configuration.
OpenSSH is a suite of secure networking utilities based on the Secure Shell (SSH) protocol. It is widely used by enterprises for remote server management and secure data communications.
It is designed to provide a secure channel over an unsecured network in a client-server architecture.
Based on Censys and Shodan searches, over 14 million potentially vulnerable OpenSSH server instances have been identified as being exposed to the Internet.
Qualys believes that around 700,000 external internet-facing instances are vulnerable, which accounts for 31% of all internet-facing instances with OpenSSH in its global customer base.
“In our security analysis, we identified that this vulnerability is a regression of the previously patched vulnerability CVE-2006-5051, which was reported in 2006,” Bharat Jogi, Senior Director of the Threat Research Unit at Qualys, said in a disclosure published on Monday.
“A regression in this context means that a flaw, once fixed, has reappeared in a subsequent software release, typically due to changes or updates that inadvertently reintroduce the issue. This incident highlights the crucial role of thorough regression testing to prevent the reintroduction of known vulnerabilities into the environment. This regression was introduced in October 2020 (OpenSSH 8.5p1).”
All versions of OpenSSH earlier than 4.4p1 are vulnerable to this signal handler race condition unless they are patched for CVE-2006-5051 and CVE-2008-4109.
Versions from 8.5p1 up to, but not including 9.8p1 are also vulnerable due to the accidental removal of a critical component in a function.
However, versions from 8.5p1 up to, but not including, 9.8p1 are unaffected due to a transformative patch for CVE-2006-5051.
Additionally, OpenBSD systems are unaffected by the vulnerability due to a secure mechanism developed in 2001 that prevents this bug, noted Qualys.
If exploited, this vulnerability could lead to full system compromise where an attacker can execute arbitrary code with the highest privileges that could result in:
- Complete system takeover
- Installation of malware
- Data manipulation
- Creation of backdoors for persistent access
- Network propagation, which would allow attackers to utilize a compromised system as a foothold to traverse and exploit other vulnerable systems within the organization.
The researchers also warned that gaining root access via this CVE would enable threat actors to bypass critical security mechanisms such as firewalls, intrusion detection systems, and logging mechanisms, further concealing their activities.
“This could also result in significant data breaches and leakage, giving attackers access to all data stored on the system, including sensitive or proprietary information that could be stolen or publicly disclosed,” the disclosure added.
Thankfully, this vulnerability is challenging to exploit due to its remote race condition nature, requiring multiple attempts for a successful attack.
“This can cause memory corruption and necessitate overcoming Address Space Layout Randomization (ASLR),” it said.
To prevent the risk posed by regreSSHion, organisations are recommended to quickly apply available patches for OpenSSH and prioritize ongoing update processes, limit SSH access through network-based controls, enforce network segmentation to restrict unauthorized access and lateral movements within critical environments, and deploy systems to monitor and alert admins on unusual activities.
