A newly discovered OpenSSH vulnerability, dubbed regreSSHion, allows remote attackers to gain root privileges on Linux systems using the glibc library. This flaw lets unauthenticated attackers execute arbitrary code and obtain root access. Given OpenSSH’s extensive use, this flaw’s impact could be as significant as the infamous Log4Shell.
REGRESSHION OPENSSH VULNERABILITY
On July 1, 2024, cybersecurity experts from Qualys disclosed a critical vulnerability in OpenSSH named RegreSSHion (CVE-2024-6387). This flaw allows remote code execution (RCE) with root privileges on servers and PCs running *nix systems with the standard Glibc library. It affects versions below 4.4 and above 8.5. Experts tested the vulnerability in laboratory conditions on 32-bit Linux systems with ASLR (Address Space Layout Randomization) enabled.
The evaluation results are troubling for defenders. Exploiting the vulnerability requires 6-8 hours of continuous attempts, involving around 10,000 tries per attack. On 64-bit systems, exploitation may take up to a week, though no working exploit has been demonstrated.
Network scans report over 14 million vulnerable systems exposed to the Internet, with the actual number possibly exceeding 15 million.
The vulnerability bypasses client authentication during the LoginGraceTime period, which defaults to 120 seconds. By repeatedly triggering this timeout without completing authentication, an attacker can cause the sshd SIGALRM handler to call unsafe functions like syslog(), leading to execution state corruption. The exploit involves sending about 10,000 specially crafted inputs to manipulate the server’s memory layout, causing heap corruption and allowing critical memory structure overwriting. This grants the attacker remote control with root privileges and the ability to execute arbitrary code.
This vulnerability is a regression of the previously identified CVE-2006-5051, which was patched in version 4.4 back in 2006. Named “regreSSHion,” this bug affects OpenSSH due to changes made during the development of OpenSSH 8.5.
Specifically, the removal of the block “#ifdef DO_LOG_SAFE_IN_SIGHAND” from the sigdie() function, which is called from the SIGALRM handler, allowed the old vulnerability to resurface. This regression involves a signal handler race condition that can lead to denial of service or potentially remote code execution.
POTENTIAL RISK
RegreSSHion, an RCE vulnerability, poses a critical threat by allowing attackers to infiltrate systems without initial access, making it a prime target for cyberattacks and lateral movement within networks.
Affected versions include those before 4.4p1 and between 8.5p1 and 9.8p1. Despite its severity, the attack’s technical complexity and the need for specific Linux version knowledge make widespread exploitation unlikely. OpenSSH on OpenBSD is unaffected due to long-standing protections, and servers with brute force and DDoS defenses are likely to block such attacks. While adaptation for other libraries is theoretically possible, it hasn’t been demonstrated.
Fortunately, a patch has been released to address the vulnerability in OpenSSH. Users and administrators are advised to update SSHD to version 9.8p1. If immediate updating isn’t feasible, experts suggest setting the LoginGraceTime parameter to 0 as a temporary measure, though this may result in a denial of service if all connection slots are occupied.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment