OpenSSH Vulnerability: OpenSSH Servers at Risk from Remote regreSSHion Attack

 

A critical vulnerability (named "regreSSHion") has been discovered in OpenSSH servers, impacting millions. This flaw allows attackers to remotely execute malicious code with the highest privileges (root access) without any authentication. Immediate action is required to patch vulnerable systems.

A critical flaw named regreSSHion (CVE-2024-6387) has been discovered by Qualys' threat research unit. This vulnerability in the OpenSSH server process sshd is comparable in severity to the notorious Log4Shell vulnerability from 2021. The flaw stems from a signal handler race condition, allowing unauthenticated remote code execution with root privileges on glibc-based Linux systems. Its potential impact on Windows and macOS remains unclear.

Exploitation of the regreSSHion vulnerability can result in a complete system takeover, facilitating malware installation and the creation of backdoors. OpenSSH, which secures data communications in a client-server architecture, is extensively utilized by enterprises for remote server management.

Qualys' research, supported by Shodan and Censys services, identified over 14 million potentially vulnerable OpenSSH instances accessible from the internet, with approximately 700,000 internet-exposed systems among their own customers appearing vulnerable.

The vulnerability, a regression of a previously patched issue (CVE-2006-5051), was reintroduced in October 2020 with OpenSSH 8.5p1. However, it was recently removed accidentally with the release of OpenSSH 9.8p1. OpenBSD systems are unaffected due to a protective mechanism introduced in 2001.

Organizations unable to upgrade immediately can apply forthcoming patches from vendors. While Qualys has shared technical details of regreSSHion, they have withheld proof-of-concept (PoC) code to prevent malicious exploitation, instead offering indicators of compromise (IoCs) to aid in detecting potential attacks.

Impacted OpenSSH versions:

• Versions earlier than 4.4p1: Vulnerable to the signal handler race condition unless patched for CVE-2006-5051 and CVE-2008-4109.
• Versions 4.4p1 up to (but not including) 8.5p1: Not vulnerable due to a transformative patch for CVE-2006-5051, which made a previously unsafe function secure.
• Versions 8.5p1 up to (but not including) 9.8p1: Vulnerable again due to the accidental removal of a critical component in a function.

Note: OpenBSD systems are unaffected by this bug, as OpenBSD developed a secure mechanism in 2001 that prevents this vulnerability.

Consequences of regreSSHion

This vulnerability, if exploited, could lead to full system compromise, allowing an attacker to execute arbitrary code with the highest privileges. This could result in a complete system takeover, installation of malware, data manipulation, and the creation of backdoors for persistent access. Additionally, it could facilitate network propagation, allowing attackers to use a compromised system as a foothold to traverse and exploit other vulnerable systems within the organization.

Moreover, gaining root access would enable attackers to bypass critical security mechanisms such as firewalls, intrusion detection systems, and logging mechanisms, further obscuring their activities. This could also result in significant data breaches and leakage, giving attackers access to all data stored on the system, including sensitive or proprietary information that could be stolen or publicly disclosed.

This vulnerability is challenging to exploit due to its remote race condition nature, requiring multiple attempts for a successful attack. This can cause memory corruption and necessitate overcoming Address Space Layout Randomization (ASLR). Advancements in deep learning may significantly increase the exploitation rate, potentially providing attackers with a substantial advantage in leveraging such security flaws.

Source: qualys, gadgets360