Glibc-based Linux systems are vulnerable to a new bug (CVE-2024-6387) in the OpenSSH server (sshd) and should upgrade to the latest version.
Infosec researchers at Qualys published their findings today, revealing that sshd is vulnerable to a race condition that could allow an unauthenticated attacker to achieve remote code execution (RCE) on potentially hundreds of thousands of targets. Successful exploitation could give attackers root-level access to a system, allowing them to potentially get away with almost anything.
Of the 14 million potentially vulnerable sshd instances that show up in Censys and Shodan scans, Qualys believes that roughly 700,000 of those Internet-facing instances are possibly affected by regreSSHion — the name the researchers gave the flaw based on of its roots.
“In our security analysis, we determined that this vulnerability is a regression of the previously patched CVE-2006-5051 vulnerability that was reported in 2006,” Qualys said. “A regression in this context means that a flaw, once fixed, has reappeared in a subsequent version of the software, usually due to changes or updates that inadvertently reintroduce the problem.”
“This incident highlights the critical role of comprehensive regression testing in preventing known vulnerabilities from being reintroduced into the environment. This regression was introduced in October 2020 (OpenSSH 8.5p1).”
Damien Miller, founder of the portable OpenSSH project and maintainer since 1999, said in an online discussion that anything running glibc is likely vulnerable. Systems with a 32-bit architecture have been shown to be, and 64-bit systems are likely at risk as well.
The notable exception here is OpenBSD. Systems running the OS can safely ignore all of this thanks to a security tweak made in 2001.
According to Qualys’ more detailed advice, if a client does not authenticate within LoginGraceTime – a parameter that sets the maximum time it can take for a successful sshd authentication attempt, set to 120 seconds by default – then the server’s SIGALRM handler is called asynchronously.
This signal handler can then call functions that are not asynchronous signal safe, such as syslog() – a loophole that attackers can use to ultimately execute arbitrary code. From there, it may be possible to operate at a basic level, perform a full system takeover, deploy malware, and implant backdoors, all while avoiding security measures.
A quick side note: That OpenBSD “security setting” we mentioned is related to the syslog() call. Since 2001, OpenBSD’s SIGALRM handler calls syslog_r() instead – a safer version of syslog() and as such is not affected by regreSSHion.
While the consequences of a successful exploit can be dire, it will actually require some patience. According to the OpenSSH team and its release notes for version 9.8, which includes the fix for CVE-2024-6387, it took between six and eight hours in the lab to overcome the race condition.
The Qualys tests were slightly faster, taking about three to four hours and about 10,000 tries to beat it. However, it took six to eight hours to obtain the root shell because, due to ASLR, the researchers could only guess the glibc address in half the time.
“This vulnerability is challenging to exploit due to its remote race nature, which requires multiple attempts to successfully attack,” it said. “This can cause memory corruption and force Address Space Layout Randomization (ASLR) to be overcome.” Advances in deep learning can greatly increase the rate of exploitation, potentially giving attackers a significant advantage in exploiting such vulnerabilities.”
This vulnerability is challenging to exploit due to its remote race nature, which requires multiple attempts for a successful attack
All versions of OpenSSH earlier than 4.4p1 are vulnerable unless they have applied fixes for CVE-2006-5051 and CVE-2008-4109. Versions 8.5p1 up to but not including 9.8p1 are also vulnerable. Versions 4.4p1 up to but not including 8.5p1 are not affected because CVE-2006-5051 is handled by default.
In addition to applying the fixes, Qualys recommended that organizations restrict SSH access through network controls and segment networks along with monitoring systems that alert administrators to exploit attempts.
Despite the regreSSHion bug, Qualys had nothing but positive things to say about the OpenSSH project, saying the discovery was “one blip in an otherwise nearly flawless implementation.”
“Its deep design and security code are a model and an inspiration, and we thank the OpenSSH developers for their exemplary work,” it added.
Ubuntu has updated versions here, and NixOS has also been busy for the past few hours – users can go here at least.
Check your distro for updates – there probably will be. ®
