Share this article on:
A previously patched vulnerability in OpenSSH’s server could lead to a complete network takeover if not addressed.
Researchers at the Qualys Threat Research Unit (TRU) have uncovered a not-so-new vulnerability in OpenSSH’s server that could lead to a full system compromise.
Dubbed regreSSHion but more formally CVE-2024-6387, the vulnerability has been seen – and patched – before.
CVE-2006-5051 was first reported in 2006 and was patched in subsequent versions of OpenSSH, but it appears to have been reintroduced into the code in version 8.5p1, released in October 2020. This is known as regression.
“A regression in this context means that a flaw, once fixed, has reappeared in a subsequent software release, typically due to changes or updates that inadvertently reintroduce the issue,” the TRU’s researchers said in a blog post.
The vulnerability is a signal handler race condition in OpenSSH’s server, and while the TRU admits that makes it difficult to exploit, successful exploitation could have dire consequences.
“This vulnerability, if exploited, could lead to full system compromise where an attacker can execute arbitrary code with the highest privileges, resulting in a complete system takeover, installation of malware, data manipulation, and the creation of backdoors for persistent access,” the TRU said.
“It could facilitate network propagation, allowing attackers to use a compromised system as a foothold to traverse and exploit other vulnerable systems within the organisation.”
Gaining root access would also allow a threat actor to bypass security measures, possibly leading to “significant data breaches and leakage”.
CVE-2024-6387 is present in several versions of OpenSSH:
According to scans on Shodan and Censys, there are potentially more than 14 million vulnerable, internet-facing OpenSSH server instances. Qualys’ internal data suggests 700,000 of its customers are vulnerable – 31 per cent of its entire customer count.
The TRU suggests patching immediately and prioritising updates, limiting SSH access via network controls, and initiating network segmentation and intrusion detection.
Speaking to the difficulty of actually exploiting the vulnerability, Tomer Schwartz, Co-Founder and CTO of cyber security start-up Dazz, said that it was a tricky proposition indeed.
"The main thing we're witnessing with this race-condition vulnerability is that, although there is already a Proof-of-Concept exploit for it, exploitation is mostly possible in a 'lab setting'. It is a statistical exploit by nature: it takes a significant number of attempts to win the race condition and successfully execute arbitrary code, and there are quite a few obstacles that attackers need to overcome," Schwartz said.
"The best-known exploit takes over four hours to run, even in the best-case scenario. Organisations are recommended to try and limit access to SSH servers and monitor for suspicious network activity."
UPDATED 03/0724 to add Dazz commentary.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.