A recently discovered vulnerability in OpenSSH, dubbed “regreSSHion” (CVE-2024-6387), has security professionals scrambling to patch their systems. This blog post will dive into the details of this critical vulnerability, including affected systems, versions, exploit availability, and patching procedures.
What is regreSSHion?
RegreSSHion is a remote unauthenticated code execution (RCE) vulnerability in the OpenSSH server. It exploits a race condition caused by unsafe handling of signals during user authentication timeouts. An attacker could potentially leverage this flaw to gain full root access on vulnerable systems.
Affected Systems and Versions
The vulnerability primarily affects OpenSSH server implementations on glibc-based Linux systems. Specifically, versions released after October 2020 (OpenSSH 8.5p1) are susceptible.
The scope of regreSSHion is significant. Researchers identified over 14 million potentially vulnerable OpenSSH servers exposed directly to the internet. Even more concerning, a substantial portion (around 700,000) are actively internet-facing, making them prime targets for attackers. This represents roughly a third of all internet-facing OpenSSH servers within the analyzed data. To make matters worse, a small but concerning percentage of these vulnerable systems are running outdated, unsupported versions of OpenSSH, further increasing their risk.
Exploit Availability
Qualys Threat Research Unit, who discovered the vulnerability, has confirmed the existence of a working exploit. This significantly increases the risk of exploitation, so patching is crucial.
While tools like Censys and Shodan do a great job at identifying vulnerable systems, plenty of tools like have been released to manually verify the existence of the vulnerability.
https://github.com/thegenetic/CVE-2024-6387-exploit
https://github.com/xaitax/CVE-2024-6387_Check
How to Patch?
System administrators should prioritize patching vulnerable OpenSSH servers to an unaffected version as soon as possible. Several resources are available to guide the patching process, including advisories from your Linux distribution vendor and security solution providers.
Take a look at Qualys’ blog for detailed information on patching and remediation: https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server
Additional Mitigations
While patching remains the ultimate solution, some additional steps can be taken to mitigate the risk before a patch is applied. These might include:
- Limiting SSH access: Restricting SSH access to specific IP addresses or implementing multi-factor authentication can make exploitation more difficult.
- Monitoring for suspicious activity: Security teams should closely monitor logs for any signs of attempted exploitation.
Conclusion
RegreSSHion is a serious vulnerability with the potential for widespread impact. By understanding the affected systems, prioritizing patching, and implementing additional mitigations, organizations can significantly reduce their risk. Remember, staying informed and taking proactive measures are essential for maintaining a strong security posture.