Glibc-based Linux systems are vulnerable to a new bug (CVE-2024-6387) in the OpenSSH server (sshd) and should be upgraded to the latest version.
Infosec researchers at Qualys today published their findings, showing that SSD is vulnerable to a race condition, which could allow an unauthenticated attacker to perform remote code execution (RCE) on potentially hundreds of thousands of targets.
Of the 14 million potentially vulnerable SSD instances showing up on Censys and Shodan scans, Qualys believes about 700,000 of these Internet-facing instances could potentially be affected by regreSSHion, the name researchers gave to the flaw based on its origins.
“Through our security analysis, we determined that this vulnerability is a regression of the previously patched vulnerability CVE-2006-5051, which was reported in 2006,” Qualys said. “A regression in this context means that a flaw, after being fixed, has reappeared in a subsequent software release, typically due to changes or updates that inadvertently reintroduce the issue.
“This incident highlights the critical role of thorough regression testing to prevent the reintroduction of known vulnerabilities into the environment. This regression was introduced in October 2020 (OpenSSH 8.5p1).”
Damien Miller, founder of the portable OpenSSH project and maintainer since 1999, said in an online discussion that anything running glibc is likely vulnerable. Systems with 32-bit architectures are proven to be vulnerable, but 64-bit ones are likely exposed as well.
The notable exception to this is OpenBSD. Systems running the OS can safely ignore all this thanks to a 2001 security tweak.
According to Qualys’ more detailed advice, the server’s SIGALRM handler is called asynchronously if a client does not authenticate within the LoginGraceTime. LoginGraceTime is a parameter that sets the maximum time for a successful authentication attempt on sshd, defaulted to 120 seconds.
This signal handler can then call functions that are not async signal-safe, such as syslog() – a problem that attackers can exploit to execute arbitrary code and all kinds of other nasty things. Possibilities include full system takeover, deploying malware, implanting backdoors and executing code at the root, which could then lead to bypassing security measures such as firewalls and logging systems.
A quick side note: that “security tweak” in OpenBSD we mentioned is related to the syslog() call. As of 2001, OpenBSD’s SIGALRM handler calls syslog_r() instead – a more secure version of syslog() and as such not affected by regreSSHion.
While the consequences of a successful exploit can be severe, actually doing it will require some patience. According to OpenSSH and the release notes for version 9.8, which includes the fix for CVE-2024-6387, it took between six and eight hours to defeat the race condition under lab conditions.
Qualys’ tests were a little faster: they lasted about three to four hours and took about 10,000 attempts to beat it. However, it took six to eight hours to obtain a root shell, because the researchers were only able to predict glibc’s address half the time thanks to ASLR.
“This vulnerability is difficult to exploit due to its remote race condition nature, which requires multiple attempts for a successful attack,” the report said. “This can cause memory corruption and necessitate overcoming Address Space Layout Randomization (ASLR). Advances in deep learning can significantly increase the exploitation rate, potentially giving attackers a substantial advantage in exploiting such vulnerabilities.”
All versions of OpenSSH prior to 4.4p1 are vulnerable unless they have patches applied to both CVE-2006-5051 and CVE-2008-4109. Versions from 8.5p1 through but not including 9.8p1 are also vulnerable. Versions 4.4p1 through but not including 8.5p1 are not affected because CVE-2006-5051 is patched by default.
In addition to applying the patches, Qualys advised organizations to restrict SSH access through network-based controls, and segment networks along with monitoring systems that alert administrators to exploit attempts.
Despite the regreSSHion bug, Qualys had nothing but positive things to say about the OpenSSH project, saying the discovery is “a glitch in an otherwise nearly flawless implementation.”
“The deep design and code are a model and an inspiration, and we thank the developers of OpenSSH for their exemplary work,” it added.
Ubuntu has updated versions here, and NixOS has also been busy in recent hours – users can go here. ®