Highlights:
- CVE-2024-6387, dubbed “regreSSHion,” is a remote unauthenticated code execution vulnerability discovered in OpenSSH servers on glibc-based systems.
- Interestingly, this vulnerability represents a regression of the previously patched CVE-2006-5051, reported back in 2006.
Cybersecurity experts at Qualys Inc. warn of OpenSSH vulnerability. It affects over 14 million servers. Some security researchers are describing this flaw as “extremely dangerous” and “about as bad as they come.”
A fellow at the Synopsys Software Integrity Group, Ray Kelly, stated that the “trifecta of remote code execution, root access and a widespread distribution across Linux servers makes this a hot target for threat actors.”
“Although an OpenSSH patch is available, deploying it across all affected systems — potentially impacting 14 million OpenSSH instances — poses a significant challenge. This vulnerability could persist for a long time, reminiscent of the Heartbleed vulnerability in OpenSSL from 2014,” Kelly added.
The vulnerability, identified as CVE-2024-6387 and named “regreSSHion,” is a remote unauthenticated code execution flaw in OpenSSH’s server on glibc-based systems. OpenSSH’s server is a secure network tool that enables encrypted communication for remote server management and secure data transfers over unprotected networks.
The vulnerability stems from a signal handler race condition. In this software issue, the timing overlap between signal handling and regular processing can unpredictably cause unexpected and harmful behaviors in a program. For OpenSSH, this flaw enables remote code execution as root on glibc-based Linux systems, posing a substantial security threat.
Attackers can exploit this vulnerability by creating a payload that targets the signal handler race condition and sending it to the target system, attempting to trigger the race condition at the precise moment it occurs. By repeatedly sending this payload, the attackers enhance their chances of successfully exploiting the flaw, enabling them to execute arbitrary code with root user privileges.
If exploited, the vulnerability could result in a complete system compromise. An attacker could execute arbitrary code with the highest privileges, leading to a total system takeover, malware installation, data manipulation, and the creation of backdoors for persistent access.
Curiously, this vulnerability represents a regression of the previously patched flaw CVE-2006-5051, first reported in 2006. As the Qualys researchers explain, a “regression in this context means that a flaw, once fixed, has reappeared in a subsequent software release, typically due to changes or updates that inadvertently reintroduce the issue.”
The regreSSHion vulnerability is present in OpenSSH versions earlier than 4.4p1 unless users have applied patches for CVE-2006-5051 and CVE-2008-4109. Versions 4.4p1 through 8.5p1, excluding 8.5p1, are not vulnerable. However, versions 8.5p1 through 9.8p1, excluding 8.5p1, are vulnerable due to the removal of a crucial component from a function.
To safeguard against the vulnerability, OpenSSH users are advised to promptly apply available patches, enforce enhanced access control, and implement network segmentation and intrusion detection measures.
Jeff Williams, Co-founder and Chief Technology Officer at Contrast Security Inc., said to a leading media house, “it’s difficult to overstate the importance of OpenSSH to cybersecurity” and that the “flaw is extremely dangerous.”
“Unlike Log4Shell attacks, which could be completely contained in a single unauthenticated HTTP request, this attack is a bit noisy and takes about 10,000 attempts on average to succeed. In this case, the OpenSSH team accidentally re-introduced a flaw that they had already fixed, demonstrating that every team needs fully automated test suites that run with every build and help prevent regressions… particularly for security fixes,” Williams explains.