A significant security vulnerability, dubbed “regreSSHion” (CVE-2024-6387), has been discovered in the OpenSSH server (sshd) affecting Glibc-based Linux systems. Infosec researchers at Qualys have revealed that this flaw could potentially allow unauthenticated attackers to achieve remote code execution (RCE) on hundreds of thousands of targets.
Vulnerability Details and Impact
The regreSSHion bug is a race condition in sshd that could grant intruders root-level access to affected systems. Of the 14 million potentially vulnerable sshd instances identified through Censys and Shodan scans, Qualys estimates that approximately 700,000 internet-facing instances could be susceptible to exploitation.
This vulnerability is particularly concerning as it represents a regression of a previously patched flaw (CVE-2006-5051) from 2006. The reintroduction of this issue occurred in October 2020 with the release of OpenSSH 8.5p1, highlighting the critical importance of thorough regression testing in software development.
Exploitation and Potential Consequences
The exploit takes advantage of a weakness in sshd’s handling of the LoginGraceTime parameter. If a client fails to authenticate within this timeframe (default 120 seconds), the server’s SIGALRM handler is called asynchronously. This handler can then invoke functions that are not async-signal-safe, such as syslog(), creating an opportunity for attackers to execute arbitrary code.
Successful exploitation could allow attackers to:
- Gain root-level access
- Perform full system takeovers
- Deploy malware
- Implant backdoors
- Evade existing security measures
While the potential impact is severe, exploiting the vulnerability requires patience. Lab tests conducted by the OpenSSH team and Qualys indicate that beating the race condition can take between three to eight hours and up to 10,000 attempts.
Affected Systems and Exceptions
Systems running glibc are likely vulnerable, with 32-bit architectures confirmed to be at risk and 64-bit systems probably affected as well. However, OpenBSD systems are not vulnerable due to a security enhancement implemented in 2001, which uses the safer syslog_r() function instead of syslog().
Vulnerable Versions and Patching
The following OpenSSH versions are affected:
- All versions earlier than 4.4p1 (unless patched for CVE-2006-5051 and CVE-2008-4109)
- Versions from 8.5p1 up to, but not including, 9.8p1
Versions 4.4p1 up to 8.5p1 are not affected due to the previous patching of CVE-2006-5051.
Mitigation and Recommendations
To address the regreSSHion vulnerability, organizations should:
- Update to OpenSSH 9.8p1 or apply the latest security patches
- Implement network-based controls to limit SSH access
- Segment networks and deploy monitoring systems to alert administrators of potential exploit attempts
Several Linux distributions have already released updates, including Ubuntu and NixOS. Users are strongly advised to check their distribution’s repositories for available patches and apply them promptly.
Qualys full write-up can be found here.