'RegreSSHion' Bug Threatens Takeover of Millions of Linux Systems

The high-severity CVE-2024-6387 in OpenSSH is a reintroduction of a 2006 flaw, and it allows unauthenticated RCE as root.

Boxes of bandages in a shopping aisle
Source: Kristoffer Tripplaar via Alamy Stock Photo

An unauthenticated remote code execution (RCE) vulnerability in the OpenSSH secure communications suite opens millions of Linux-based systems to takeover as root.

Dubbed "RegreSSHion" by researchers who discovered it at the Qualys Threat Research Unit (TRU), the bug (a 8.1 CVSS score) is more specifically a signal handler race condition in OpenSSH’s server (sshd). It affects glibc-based Linux systems running sshd in its default configuration; it may also exist in Mac and Windows environments (though exploitability for those hasn't been proven yet).

"This vulnerability, if exploited, could lead to full system compromise where an attacker can execute arbitrary code with the highest privileges, resulting in a complete system takeover, installation of malware, data manipulation, and the creation of backdoors for persistent access," read to a TRU posting on July 1.

Moreover, "it could facilitate network propagation, allowing attackers to use a compromised system as a foothold to traverse and exploit other vulnerable systems within the organization [and] gaining root access would enable attackers to bypass critical security mechanisms such as firewalls, intrusion detection systems, and logging mechanisms, further obscuring their activities."

According to the Qualys researchers behind the discovery, there are more than 14 million potentially vulnerable OpenSSH server instances exposed to the Internet.

CVE-2024-6387 Showcases the Need for Regression Testing

The bug gets its "RegreSSHion" moniker from the fact that it's actually a reappearance of a flaw that was fixed in 2006 (CVE-2006-5051), likely reintroduced via untested updates or older code use. That means different patching schemes are available for different versions.

"In this case, the OpenSSH team accidentally reintroduced a flaw that they had already fixed, demonstrating that every team needs fully automated test suites that run with every build and help prevent regressions ... particularly for security fixes," says Jeff Williams, co-founder and CTO at Contrast Security.

The vulnerability is challenging to exploit, according to researchers, but also is not easy to fully remediate, demanding a focused and layered security approach.

"Unlike Log4Shell attacks, which could be completely contained in a single unauthenticated HTTP request, this attack is a bit noisy and takes approximately 10,000 attempts on average to succeed," Williams explains. "I'm optimistic that this will enable providers to detect and prevent these attacks before they are successful."

Yet at the same time, "this fix is part of a major update, making it challenging to backport," according to the TRU researchers. "Consequently, users will have two update options: upgrading to the latest version released on Monday, July 1st (9.8p1) or applying a fix to older versions as outlined in the advisory."

As for various Linux distros and vendor implementations, patches are expected "shortly," according to TRU. Meanwhile, admins can limit SSH access through network-based controls to minimize attack exposure; employ network segmentation to prevent damage in the event of a compromise; check logs for TRU's indicators of compromise (IoCs); and roll out comprehensive intrusion detection capabilities.

Don't miss the latest Dark Reading Confidential podcast, where we talk to two ransomware negotiators about how they interact with cybercriminals; including how they brokered a deal to restore operations in a hospital NICU where lives were at stake; and how they helped a church, where the attackers themselves "got a little religion." Listen now!

About the Author(s)

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights