RegreSSHion OpenSSH Vulnerability Enables RCE

Home/BOTNET, Compromised, Exploitation, rce, RCE Flaw, Security Advisory, Security Update, vulnerability/RegreSSHion OpenSSH Vulnerability Enables RCE

RegreSSHion OpenSSH Vulnerability Enables RCE

A newly discovered OpenSSH vulnerability, dubbed regreSSHion, allows remote attackers to gain root privileges on Linux systems using the glibc library. This flaw lets unauthenticated attackers execute arbitrary code and obtain root access. Given OpenSSH’s extensive use, this flaw’s impact could be as significant as the infamous Log4Shell.


On July 1, 2024, cybersecurity experts from Qualys disclosed a critical vulnerability in OpenSSH named RegreSSHion (CVE-2024-6387). This flaw allows remote code execution (RCE) with root privileges on servers and PCs running *nix systems with the standard Glibc library. It affects versions below 4.4 and above 8.5. Experts tested the vulnerability in laboratory conditions on 32-bit Linux systems with ASLR (Address Space Layout Randomization) enabled.

The evaluation results are troubling for defenders. Exploiting the vulnerability requires 6-8 hours of continuous attempts, involving around 10,000 tries per attack. On 64-bit systems, exploitation may take up to a week, though no working exploit has been demonstrated.

Network scans report over 14 million vulnerable systems exposed to the Internet, with the actual number possibly exceeding 15 million.

The vulnerability bypasses client authentication during the LoginGraceTime period, which defaults to 120 seconds. By repeatedly triggering this timeout without completing authentication, an attacker can cause the sshd SIGALRM handler to call unsafe functions like syslog(), leading to execution state corruption. The exploit involves sending about 10,000 specially crafted inputs to manipulate the server’s memory layout, causing heap corruption and allowing critical memory structure overwriting. This grants the attacker remote control with root privileges and the ability to execute arbitrary code.

This vulnerability is a regression of the previously identified CVE-2006-5051, which was patched in version 4.4 back in 2006. Named “regreSSHion,” this bug affects OpenSSH due to changes made during the development of OpenSSH 8.5.

Specifically, the removal of the block “#ifdef DO_LOG_SAFE_IN_SIGHAND” from the sigdie() function, which is called from the SIGALRM handler, allowed the old vulnerability to resurface. This regression involves a signal handler race condition that can lead to denial of service or potentially remote code execution.


RegreSSHion, an RCE vulnerability, poses a critical threat by allowing attackers to infiltrate systems without initial access, making it a prime target for cyberattacks and lateral movement within networks.

Affected versions include those before 4.4p1 and between 8.5p1 and 9.8p1. Despite its severity, the attack’s technical complexity and the need for specific Linux version knowledge make widespread exploitation unlikely. OpenSSH on OpenBSD is unaffected due to long-standing protections, and servers with brute force and DDoS defenses are likely to block such attacks. While adaptation for other libraries is theoretically possible, it hasn’t been demonstrated.

Fortunately, a patch has been released to address the vulnerability in OpenSSH. Users and administrators are advised to update SSHD to version 9.8p1. If immediate updating isn’t feasible, experts suggest setting the LoginGraceTime parameter to 0 as a temporary measure, though this may result in a denial of service if all connection slots are occupied.

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

By | 2024-07-05T22:06:57+05:30 July 4th, 2024|BOTNET, Compromised, Exploitation, rce, RCE Flaw, Security Advisory, Security Update, vulnerability|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!