Qualys security researchers disclosed a severe Open Secure Shell (OpenSSH) flaw that threatens millions of servers worldwide. The vulnerability, labeled CVE-2024-6387 and termed “regreSSHion,” may enable attackers to gain unauthorized root access.
This vulnerability traces back to a problem previously addressed in 2006 under CVE-2006-5051. It resurged in OpenSSH version 8.5p1, issued in October 2020, due to a race condition within the signal handler of OpenSSH. This situation can provoke memory heap corruption, potentially allowing remote code execution.
Technical Insights
The issue originates from sshd’s SIGALRM handler, which triggers crucial methods asynchronously if a login attempt fails during the LoginGraceTime window. Attackers can exploit this by flooding the server with connections that fail to authorize, thereby compromising the process’s memory heap. Although contemporary security technologies like Address Space Layout Randomization (ASLR) offer some defense, researchers have achieved successful exploits on 32-bit Linux systems running the glibc C library.
Internet scans using Censys and Shodan suggest over 14 million OpenSSH servers are potentially at risk. Qualys CSAM 3.0 data indicates that approximately 700,000 of these are directly exposed, accounting for 31% of all OpenSSH instances in their global client network. This broad exposure heightens the need for prompt mitigation measures.
Mitigation and Recommendations
Users should update to a patched OpenSSH version as soon as possible. As a temporary measure, setting the LoginGraceTime parameter to 0 in the sshd configuration can mitigate the risk. Additional precautions include deploying network monitoring tools and firewalls to detect and obstruct exploitation attempts. The flaw has a severity rating of 8.1 on the CVSS scale.
OpenBSD deployments aren’t susceptible to this vulnerability. This is attributed to its usage of a secure version of syslog() in the signal handler, a mechanism implemented in 2001 that ensures safe asynchronous calls.
Exploitation of this vulnerability could lead to full system compromise, allowing execution of arbitrary code with root privileges, facilitating system control, malware deployment, data breaches, and establishing persistence mechanisms. Attackers might also leverage compromised systems to target other devices within the network.
Last Updated on November 7, 2024 3:43 pm CET