A new OpenSSH unauthenticated remote code execution (RCE) vulnerability dubbed “regreSSHion” gives root privileges on glibc-based Linux systems.
OpenSSH is a suite of networking utilities based on the Secure Shell (SSH) protocol. It is extensively used for secure remote login, remote server management and administration, and file transfers via SCP and SFTP.
The flaw, discovered by researchers at Qualys in May 2024, and assigned the identifier CVE-2024-6387, is due to a signal handler race condition in sshd that allows unauthenticated remote attackers to execute arbitrary code as root.
“If a client does not authenticate within LoginGraceTime seconds (120 by default), then sshd’s SIGALRM handler is called asynchronously and calls various functions that are not async-signal-safe,” explains a Debian security bulletin.
“A remote unauthenticated attacker can take advantage of this flaw to execute arbitrary code with root privileges.”
Exploitation of regreSSHion can have severe consequences for the targeted servers, potentially leading to complete system takeover.
“This vulnerability, if exploited, could lead to full system compromise where an attacker can execute arbitrary code with the highest privileges, resulting in a complete system takeover, installation of malware, data manipulation, and the creation of backdoors for persistent access. It could facilitate network propagation, allowing attackers to use a compromised system as a foothold to traverse and exploit other vulnerable systems within the organization.”
❖ Qualys
Despite the flaw’s severity, Qualys says regreSSHion is hard to exploit and requires multiple attempts to achieve the necessary memory corruption.
However, it’s noted that AI tools may be used to overcome the practical difficulties and increase the successful exploitation rate.
Qualys has also published a more technical write-up that delves deeper into the exploitation process and potential mitigation strategies.
Mitigating regreSSHion
The regreSSHion flaw impacts OpenSSH servers on Linux from version 8.5p1 up to, but not including 9.8p1.
Versions 4.4p1 up to, but not including 8.5p1 are not vulnerable to CVE-2024-6387 thanks to a patch for CVE-2006-5051, which secured a previously unsafe function.
Versions older than 4.4p1 are vulnerable to regreSSHion unless they are patched for CVE-2006-5051 and CVE-2008-4109.
Qualys also notes that OpenBSD systems are not impacted by this flaw thanks to a secure mechanism introduced back in 2001.
The security researchers also note that while regreSSHion likely also exists on macOS and Windows, its exploitability on these systems hasn’t been confirmed. A separate analysis is required to determine if those operating systems are vulnerable.
To address or mitigate the regreSSHion vulnerability in OpenSSH, the following actions are recommended:
- Apply the latest available update for the OpenSSH server (version 9.8p1), which fixes the vulnerability.
- Restrict SSH access using network-based controls such as firewalls and implement network segmentation to prevent lateral movement.
- If the OpenSSH server cannot be updated immediately, set the ‘LoginGraceTime’ to 0 in the sshd configuration file, but note that this can expose the server to denial-of-service attacks.
Scans from Shodan and Censys reveal over 14 million internet-exposed OpenSSH servers, but Qualys confirmed a vulnerable status for 700,000 instances based on its CSAM 3.0 data.
