The Qualys Threat Research Unit (TRU) has discovered a vulnerability that leaves millions of glibc-based Linux systems exposed to remote code execution (RCE). This flaw marks the first OpenSSH vulnerability in nearly two decades that allows unauthenticated remote code execution with full root access.
This vulnerability, identified as CVE-2024-6387, affects the OpenSSH server (sshd) on glibc-based Linux systems, allowing unauthenticated attackers to gain root access and potentially take complete control of affected machines. It impacts the default configuration and requires no user interaction, posing a significant risk.
The Qualys Threat Research Unit (TRU) discovered this unauthenticated RCE vulnerability in the OpenSSH server on glibc-based Linux systems. This flaw marks the first OpenSSH vulnerability in nearly two decades that allows unauthenticated remote code execution with full root access. It affects the default configuration and requires no user interaction, posing a significant risk of exploitation.
“This flaw represents the first OpenSSH vulnerability in nearly two decades: an unauthenticated RCE that grants full root access. It impacts the default configuration and requires no user interaction, presenting a significant risk of exploitation,” noted the researcher.
Details of the Vulnerability
This flaw originates from a race condition in the OpenSSH server (sshd) signal handler, affecting its default configuration and “requires no user interaction.” This race condition is particularly concerning as it allows unauthenticated remote code execution with root privileges, giving attackers full control over affected systems. This issue is present in OpenSSH versions from 8.5p1 up to, but not including, 9.8p1, reintroducing a previously resolved problem from CVE-2006-5051.
What is regreSSHion?
The vulnerability was named ‘regreSSHion’ due to its nature as a regression flaw affecting OpenSSH. ‘regreSSHion,’ identified as CVE-2024-6387, is an unauthenticated remote code execution vulnerability in the OpenSSH server (sshd) that grants full root access. It impacts the default configuration and requires no user interaction, representing a significant risk of exploitation.
In their analysis, Qualys TRU identified that this vulnerability is a regression of the previously resolved issue CVE-2006-5051, reported in 2006. A regression in this context means that a once-fixed flaw has reappeared in a later version of the software, typically due to changes or updates that reintroduce the problem. This incident highlights the crucial importance of thorough regression testing to prevent the reintroduction of known vulnerabilities. This regression was introduced in October 2020 (OpenSSH 8.5p1).
About OpenSSH
OpenSSH is a suite of secure networking utilities based on the SSH protocol, essential for secure communication over insecure networks. It provides robust encryption, secure file transfers, and remote server management. OpenSSH is widely used in Unix-like systems, including macOS and Linux, supporting various encryption technologies and enforcing strong access controls. Despite a recent vulnerability, OpenSSH maintains a solid security track record, exemplifying a defense-in-depth approach and serving as a critical tool for preserving the confidentiality and integrity of network communication globally.
Affected OpenSSH Versions
- Vulnerable: OpenSSH versions prior to 4.4p1, unless patched for CVE-2006-5051 and CVE-2008-4109.
- Not Vulnerable: Versions from 4.4p1 up to, but not including, 8.5p1 due to a transformative patch for CVE-2006-5051.
- Vulnerable again: Versions from 8.5p1 up to, but not including, 9.8p1 due to the accidental removal of a critical component in a function.
Scope of the Vulnerability
The scope of the vulnerability is significant, with over 14 million potentially vulnerable OpenSSH server instances identified through Censys and Shodan searches. Qualys data reveals that approximately 700,000 of these are exposed to the internet, representing a substantial portion of their global customer base.
Successful exploitation of ‘regreSSHion’ could have devastating consequences. Cyber attackers could achieve full system compromise, install malware, manipulate data, and establish backdoors for persistent access. The ability to propagate across networks and evade security mechanisms makes this vulnerability particularly dangerous for businesses and individuals.
Mitigation Recommendations
To address the ‘regreSSHion’ vulnerability, companies should adopt a focused and layered security approach:
- Patch Management: Apply available patches for OpenSSH as soon as possible and prioritize regular update processes to ensure all systems are protected.
- Enhanced Access Control: Limit SSH access through network-based controls to minimize attack risks.
- Network Segmentation and Intrusion Detection: Implement network segmentation to restrict unauthorized access and lateral movements within critical environments. Deploy intrusion detection systems to monitor and alert on unusual activities indicative of exploitation attempts.
For detailed technical information on CVE-2024-6387, it is recommended to consult the official documentation provided by Qualys