'RegreSSHion' Bug Threatens Takeover of Millions of Linux Systems

An unauthenticated remote code execution (RCE) vulnerability in the OpenSSH secure communications suite opens millions of Linux-based systems to takeover as root.

Dubbed "RegreSSHion" by researchers who discovered it at the Qualys Threat Research Unit (TRU), the bug (a 8.1 CVSS score) is more specifically a signal handler race condition in OpenSSH’s server (sshd). It affects glibc-based Linux systems running sshd in its default configuration; it may also exist in Mac and Windows environments (though exploitability for those hasn't been proven yet).

"This vulnerability, if exploited, could lead to full system compromise where an attacker can execute arbitrary code with the highest privileges, resulting in a complete system takeover, installation of malware, data manipulation, and the creation of backdoors for persistent access," read to a TRU posting on July 1.

Moreover, "it could facilitate network propagation, allowing attackers to use a compromised system as a foothold to traverse and exploit other vulnerable systems within the organization [and] gaining root access would enable attackers to bypass critical security mechanisms such as firewalls, intrusion detection systems, and logging mechanisms, further obscuring their activities."

According to the Qualys researchers behind the discovery, there are more than 14 million potentially vulnerable OpenSSH server instances exposed to the Internet.

CVE-2024-6387 Showcases the Need for Regression Testing

The bug gets its "RegreSSHion" moniker from the fact that it's actually a reappearance of a flaw that was fixed in 2006 (CVE-2006-5051), likely reintroduced via untested updates or older code use. That means different patching schemes are available for different versions.

"In this case, the OpenSSH team accidentally reintroduced a flaw that they had already fixed, demonstrating that every team needs fully automated test suites that run with every build and help prevent regressions ... particularly for security fixes," says Jeff Williams, co-founder and CTO at Contrast Security.

The vulnerability is challenging to exploit, according to researchers, but also is not easy to fully remediate, demanding a focused and layered security approach.

"Unlike Log4Shell attacks, which could be completely contained in a single unauthenticated HTTP request, this attack is a bit noisy and takes approximately 10,000 attempts on average to succeed," Williams explains. "I'm optimistic that this will enable providers to detect and prevent these attacks before they are successful."

Yet at the same time, "this fix is part of a major update, making it challenging to backport," according to the TRU researchers. "Consequently, users will have two update options: upgrading to the latest version released on Monday, July 1st (9.8p1) or applying a fix to older versions as outlined in the advisory."

As for various Linux distros and vendor implementations, patches are expected "shortly," according to TRU. Meanwhile, admins can limit SSH access through network-based controls to minimize attack exposure; employ network segmentation to prevent damage in the event of a compromise; check logs for TRU's indicators of compromise (IoCs); and roll out comprehensive intrusion detection capabilities.

Don't miss the latest Dark Reading Confidential podcast, where we talk to two ransomware negotiators about how they interact with cybercriminals; including how they brokered a deal to restore operations in a hospital NICU where lives were at stake; and how they helped a church, where the attackers themselves "got a little religion." Listen now!