'RegreSSHion' Vulnerability in OpenSSH Potentially Puts 700K Linux Boxes at Risk
The vulnerability, a signal handler race condition in OpenSSH’s server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems, posing a security risk. This issue affects sshd in its default configuration.
- The Qualys Threat Research Unit (TRU) has discovered a Remote Unauthenticated Code Execution RCE) vulnerability in OpenSSH’s server (sshd) in glibc-based Linux systems. CVE assigned to this vulnerability is CVE-2024-6387.
"We have identified over 14 million potentially vulnerable OpenSSH server instances exposed to the Internet. Anonymized data from Qualys CSAM 3.0 with External Attack Surface Management data reveals that approximately 700,000 external internet-facing instances are vulnerable. This accounts for 31% of all internet-facing instances with OpenSSH in our global customer base," writes Qualys.
- If exploited, the vulnerability allows attackers to fully compromise a system. They can execute arbitrary code with the highest privileges, leading to complete system control, malware installation, data manipulation, and creation of backdoors for persistent access. It also enables network propagation, letting attackers use the compromised system to exploit other vulnerable systems within the organization.
- "Bitcoiners running lightning nodes with a remote ssh access, you want to patch ASAP. So far the exploit is not trivial, but the risk is huge," said developer Antoine Poinsot on X.
Affected OpenSSH versions
The vulnerability impacts the following OpenSSH server versions:
- Open SSH version between 8.5p1-9.8p1
- Open SSH versions earlier than 4.4p1, if they’ve not backport-patched against CVE-2006-5051 or patched against CVE-2008-4109
The SSH features in PAN-OS are not affected by CVE-2024-6387.
Mitigation
- Apply available patches for OpenSSH and prioritize ongoing update processes.