Vulnerability in OpenSSH Server Let Hackers Launch Remote regreSSHion Attack on Linux

Researchers uncovered a severe vulnerability in the OpenSSH server (sshd) on glibc-based Linux systems.

The vulnerability, identified as CVE-2024-6387 and dubbed “regreSSHion,” allows unauthenticated remote code execution (RCE) as root, posing a significant security risk to affected systems.

According to Qualys researchers, the vulnerability is a signal handler race condition that affects the default configuration of sshd.

Searches using Censys and Shodan reveal that over 14 million OpenSSH server instances exposed to the Internet are potentially vulnerable.

Anonymized data from Qualys CSAM 3.0 indicates that approximately 700,000 external internet-facing instances are vulnerable, accounting for 31% of all such instances in their global customer base.

Interestingly, the vulnerability is a regression of a previously patched flaw, CVE-2006-5051, which was reported in 2006. The regression was inadvertently introduced in October 2020 with the release of OpenSSH 8.5p1.

OpenSSH versions earlier than 4.4p1 are vulnerable unless patched for CVE-2006-5051 and CVE-2008-4109.

Versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable due to a transformative patch for CVE-2006-5051.

However, the vulnerability resurfaces in versions from 8.5p1 up to, but not including, 9.8p1. OpenBSD systems are unaffected by this bug.

The potential impact of the regreSSHion vulnerability is severe, as it could lead to complete system compromise, allowing attackers to execute arbitrary code with the highest privileges, install malware, manipulate data, and create persistent backdoors.

Gaining root access would enable attackers to bypass critical security mechanisms and potentially cause significant data breaches.

Qualys is releasing QIDs to help identify vulnerable assets and has created a “Manage regreSSHion” dashboard to assist customers in tracking and managing the vulnerability exposure within their organizations.

OpenSSH 9.8 was released

OpenSSH, the widely used secure communication suite, has released version 9.8. This update addresses a critical vulnerability that could allow arbitrary code execution with root privileges on affected systems.

The Qualys Security Advisory Team discovered and reported the vulnerability, present in Portable OpenSSH versions 8.5p1 to 9.7p1.

According to the OpenSSH release notes, the vulnerability has been successfully exploited on 32-bit Linux/glibc systems with Address Space Layout Randomization (ASLR).

Under lab conditions, the attack requires an average of 6-8 hours of continuous connections up to the maximum the server will accept.

Exploitation on 64-bit systems is believed to be possible but has not been demonstrated.OpenSSH 9.8 also addresses a minor logic error in the ssh ObscureKeystrokeTiming feature, which rendered the feature ineffective in versions 9.5 through 9.7 when connected to an OpenSSH server version 9.5 or later.

In addition to the security fixes, OpenSSH 9.8 introduces new features, including a sshd mechanism to penalize client addresses that repeatedly fail authentication or cause the server to crash.

This feature, controlled by the new PerSourcePenalties option, is designed to make it more difficult for attackers to find accounts with weak passwords or exploit bugs in sshd(8).

To mitigate the risk, organizations are advised to apply available patches for OpenSSH promptly, limit SSH access through network-based controls, implement network segmentation, and deploy intrusion detection systems to monitor for unusual activities indicative of exploitation attempts.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Co-Founder & Editor-in-Chief - Cyber Press Inc.,

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here