Recently, Qualys identified a new remote unauthenticated Code Execution (RCE) vulnerability in OpenSSH’s server (sshd) in glibc-based Linux systems, nicknamed regreSSHion (CVE-2024-6387).
Curiously, this critical OpenSSH vulnerability is a regression of a previously patched vulnerability flagged in 2006 ((CVE-2006-5051)), which was first re-introduced in October 2020 with OpenSSH 8.5p1.
Who is Impacted?
Potentially, over 14 million internet-facing OpenSSH servers are vulnerable to the regreSSHion vulnerability, with the following versions bearing the brunt of the impact:
Version | Vulnerability | Determination |
OpenSSH < 4.4p1 | Not patched for CVE-2006-5051 and CVE-2008-4109. | Vulnerable |
4.4p1 <= OpenSSH < 8.5p1 | None | Not Vulnerable |
8.5p1 <= OpenSSH < 9.8p1 | CVE-2024-6387 | Vulnerable |
How Can a Potential Attack be Executed?
Since the exploit details are publically available on Github, the same have been summarized below:
1. Rapid Connection Attempts: The attacker initiates a large number of connections to the OpenSSH server very quickly.
2. Incomplete Authentication: Instead of completing the login process, the attacker abruptly disconnects before providing valid credentials. This triggers the server’s signal handler.
3. Asynchronous Calls: Rapid connection and disconnection overwhelm the server, causing the signal handler to be invoked asynchronously and leaving the server’s memory unstable.
4. Unpredictable Outcome (the Race): In such a state, the attacker has a chance (albeit difficult) to inject malicious code and potentially gain control of the server.
Nonetheless, due to its asynchronous nature, this might necessitate several attempts and may not always be successful, but with advancements in deep learning and AI, it can be used maliciously.
If successful, they can install malware, steal data, and create backdoors for long-term access, with the compromised system becoming a launching point for future attacks. Furthermore, root access allows attackers to bypass security measures, further escalating the damage.
Astra’s Vulnerability Scanner is Actively Detecting regreSSHion, the Critical OpenSSH Vulnerability.
Our research team is constantly on the lookout for emerging threats like the regreSSHion vulnerability. This vigilance allows us to proactively develop and implement detection mechanisms even before these vulnerabilities are widely known.
Astra Pentest is built by the team of experts that helped secure Microsoft, Adobe, Facebook, and Buffer