“RegreSSHion” Vulnerability in OpenSSH Grants Attackers Root Access on Linux Systems

Researchers have identified a critical vulnerability in the OpenSSH networking utility, known as “RegreSSHion” (CVE-2024-6387). This flaw allows attackers to gain complete control over Linux and Unix servers without requiring any authentication.

Complete System Takeover

Bharat Jogi, Senior Director of Threat Research at Qualys, stated, “This vulnerability, if exploited, could lead to full system compromise where an attacker can execute arbitrary code with the highest privileges, resulting in a complete system takeover, installation of malware, data manipulation, and the creation of backdoors for persistent access. It could facilitate network propagation, allowing attackers to use a compromised system as a foothold to traverse and exploit other vulnerable systems within the organization.”

The Risk and Impact

OpenSSH plays a central role in virtually every internal network connected to the Internet, providing a secure channel for administrators to connect to protected devices remotely or within a network. This utility’s ability to support multiple encryption protocols and its integration into almost all modern operating systems make it critical for network security.

The CVE-2024-6387 vulnerability allows unauthenticated remote code execution with root privileges on Linux systems using glibc. The flaw originates from a code regression introduced in 2020, which reintroduced the CVE-2006-5051 vulnerability that was previously fixed in 2006. This puts thousands, if not millions, of servers at significant risk.

Technical Details

The flaw results from faulty management of the signal handler in glibc. When a client device initiates a connection but fails to authenticate within the default time (120 seconds), the vulnerable OpenSSH system calls a SIGALRM handler asynchronously. This vulnerability resides in sshd, the main engine of OpenSSH. Qualys has named the vulnerability “regreSSHion.”

Mitigating Factors

While the threat is severe, certain factors reduce the likelihood of mass exploitation:

  1. Execution Time: The attack can take up to eight hours and may require 10,000 authentication steps.
  2. Address Space Layout Randomization (ASLR): This defense mechanism makes it challenging for attackers to run malicious code.
  3. Target-Specific Knowledge: Attackers must know the specific operating system on each targeted server.
  4. System Architecture: Exploitation of 64-bit systems has not been found feasible due to the vast number of memory addresses.
  5. Denial-of-Service Attacks: Limiting connection requests can thwart exploitation attempts.

Targeted Attack Risks

Despite these limitations, there’s still a risk of targeted attacks. Attackers could attempt numerous authentication requests over several days, spreading attempts across many IP addresses to evade detection, similar to password-spraying attacks.

Vulnerable Versions

  • OpenSSH versions earlier than 4.4p1 are vulnerable unless patched for CVE-2006-5051 and CVE-2008-4109.
  • Versions from 4.4p1 to 8.5p1 are not vulnerable due to a patch for CVE-2006-5051.
  • Versions from 8.5p1 to 9.8p1 are vulnerable due to the accidental removal of a critical function component.

Recommendations

Anyone running a vulnerable version of OpenSSH should update to a non-vulnerable version as soon as possible to mitigate this critical security risk.