Unauthenticated OpenSSH RCE Vulnerability ‘regreSSHion’ Threatens Linux Servers

July 1, 2024

A new unauthenticated remote code execution (RCE) vulnerability in OpenSSH, known as 'regreSSHion', has been identified, which can provide root privileges on glibc-based Linux systems. OpenSSH is a widely used suite of networking utilities that operate on the Secure Shell (SSH) protocol, facilitating secure remote login, remote server management, and file transfers via SCP and SFTP.

The vulnerability, detected by Qualys researchers in May 2024, and tagged as CVE-2024-6387, is a result of a signal handler race condition in sshd, permitting unauthenticated remote attackers to execute arbitrary code as root. As explained in a Debian security bulletin, 'If a client does not authenticate within LoginGraceTime seconds (120 by default), then sshd's SIGALRM handler is called asynchronously and calls various functions that are not async-signal-safe,' adding that a remote unauthenticated attacker can exploit this flaw to execute arbitrary code with root privileges.

The exploitation of regreSSHion can lead to serious implications for the targeted servers, potentially culminating in a total system takeover. If exploited, this vulnerability could result in full system compromise where an attacker can execute arbitrary code with the highest privileges, leading to a complete system takeover, installation of malware, data manipulation, and the creation of backdoors for persistent access. It could also enable network propagation, allowing attackers to use a compromised system as a launchpad to traverse and exploit other vulnerable systems within the organization.

Despite the severity of the flaw, Qualys states that regreSSHion is challenging to exploit and numerous attempts are needed to achieve the necessary memory corruption. However, AI tools could potentially be used to overcome these practical difficulties and increase the successful exploitation rate. Qualys has also released a more technical write-up detailing the exploitation process and potential mitigation strategies.

The regreSSHion vulnerability affects OpenSSH servers on Linux from version 8.5p1 up to, but not including 9.8p1. Versions 4.4p1 up to, but not including 8.5p1 are not vulnerable to CVE-2024-6387 due to a patch for CVE-2006-5051, which secured a previously unsafe function. Versions older than 4.4p1 are susceptible to regreSSHion unless they are patched for CVE-2006-5051 and CVE-2008-4109.

OpenBSD systems are not affected by this flaw thanks to a secure mechanism introduced back in 2001. While regreSSHion likely also exists on macOS and Windows, its exploitability on these systems hasn't been confirmed. A separate analysis is required to determine if those operating systems are vulnerable.

To address or mitigate the regreSSHion vulnerability in OpenSSH, several actions are recommended. Scans from Shodan and Censys reveal over 14 million internet-exposed OpenSSH servers, but Qualys confirmed a vulnerable status for 700,000 instances based on its CSAM 3.0 data.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.