regreSSHion: Critical OpenSSH server vulnerability CVE-2024-6387

Sicherheit (Pexels, allgemeine Nutzung)[German]A critical vulnerability CVE-2024-6387 has been disclosed in OpenSSH servers. The vulnerability, known as regreSSHion, allows remote unauthenticated code execution – and security firms have found over 14 million potentially vulnerable OpenSSH servers on the internet. However, the risk should still be limited.

What is OpenSSH

OpenSSH (Open Secure Shell) is a set of secure network utilities based on the Secure Shell (SSH) protocol, which is essential for secure communication over unsecured networks. The Open Secure Shell provides robust encryption to ensure data privacy and secure file transfers. Therefore, OpenSSH is widely used as a tool for remote administration.

Vulnerability CVE-2024-6387

The Qualys Threat Research Unit (TRU) has discovered a vulnerability in OpenSSH's server (sshd), which has been assigned the CVE code CVE-2024-6387. Qualsys has named the whole thing regresSSHion and disclosed it on July 1, 2024 in the blog postregreSSHion: Remote Unauthenticated Code Execution Vulnerability in OpenSSH server.

SHion: Kritische OpenSSH Server-Schwachstelle CVE-2024-6387

The vulnerability is found in glibc-based Linux systems and enables remote code execution, which sounds dangerous at first – which is why the vulnerability is also classified as "critical". Qualys writes that, based on research on Censys and Shodan, 14 million potentially vulnerable OpenSSH server instances have been identified that are accessible via the Internet. Anonymized data from Qualys CSAM 3.0 with External Attack Surface Management data shows that around 700,000 Internet-accessible instances are vulnerable. This corresponds to 31% of all Internet-accessible OpenSSH server instances. Interestingly, more than 0.14% of the vulnerable Internet instances with OpenSSH service are running an end-of-life/end-of-support version of OpenSSH, Qualys writes.

Regression of Old vulnerability from 2006

According to Qualys' explanations, the above vulnerability is a regression of the vulnerability CVE-2006-5051, which was reported in 2006 and has long since been patched. In this context, a regression means that the already fixed vulnerability reappears in a later software version. This can happen due to changes or updates, so that a vulnerability is present again. This regression was introduced in October 2020 (with OpenSSH 8.5p1). The following OpenSSH server versions under Linux are affected:

  • OpenSSH versions prior to 4.4p1 are vulnerable to this signal handler race condition if they are not patched for CVE-2006-5051 and CVE-2008-4109.
  • OpenSSH versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable due to a transformative patch for CVE-2006-5051 that made a previously insecure feature secure.
  • The vulnerability reappears in OpenSSH versions from 8.5p1 up to and including 9.8p1 due to the accidental removal of a critical component in a function.

OpenBSD systems are not affected by this flaw as OpenBSD developed a security mechanism in 2001 to prevent this vulnerability.

Qualys has developed a working exploit for the regreSSHion vulnerability with which the security researchers were able to gain root privileges. As part of the disclosure, the OpenSSH team was informed and the exploit was successfully demonstrated to them. The exploit is not published to allow time for patching.

Is the Internet on fire?

The Qualys security researchers write themselves: This vulnerability is difficult to exploit because it is a remote race condition. The security researchers needed several attempts for a successful attack. Exploitation can lead to memory corruption and requires overcoming Address Space Layout Randomization (ASLR).

And now it gets interesting: I came across this LinkedIn post on the topic by Jacob Williams. Williams sorts the whole thing out a little more precisely and writes that the Qualys security researchers needed about a week to obtain a root shell. Furthermore, the exploit has only been proven to work on x86 architectures. However, many OpenSSH servers are likely to be running the x64 version, where the vulnerability should be even more difficult to exploit.

The Qualys experts write: "Advances in deep learning can significantly increase the exploitation rate, which could give attackers a significant advantage in exploiting such vulnerabilities." But for now, it's a case of: Wait until the Linux distributions have patched this code again. Jacob Williams also writes in his LinkedIn post that most organizations do not need SSH, which is accessible via the Internet. He also writes that changing the default port for SSH in tests has reduced the number of failed login attempts by more than 95%. In addition, access could be blocked if 10,000 login attempts were suddenly registered from one IP address.

OpenSSH 9.8 available

OpenSSH 9.8 was also released on July 1, 2024, and it states "This release contains fixes for two security problems including a critical one." One security problem refers to the race condition described above. Details can be found in the release notes.

This entry was posted in Linux, Security, Software and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *