A newly discovered vulnerability in OpenSSH, called “regreSSHion,” allows unauthorized access to Linux systems, giving attackers root privileges. OpenSSH is a highly utilized suite of tools designed for secure remote login, efficient server management, and seamless file transfers.
What is regreSSHion?
Discovered by Qualys researchers in May 2024 and identified as CVE-2024-6387, this vulnerability stems from a flaw in the sshd (Secure Shell Daemon) signal handler. When triggered, it lets remote attackers execute code on the server with root access, without needing to log in first. This issue arises if a client fails to authenticate within a set time (120 seconds by default), causing the server’s signal handler to run unsafe functions.
Potential Impact
RegreSSHion can allow attackers to take over the entire system, leading to severe security breaches if exploited. However, Qualys notes that exploiting this flaw is difficult and requires multiple attempts to corrupt the memory successfully. Advanced AI tools might help attackers increase their success rate.
Mitigation Strategies
The regreSSHion vulnerability affects OpenSSH versions from 8.5p1 to just before 9.8p1. Older versions, from 4.4p1 to before 8.5p1, are protected by an earlier patch. Systems running versions older than 4.4p1 are at risk unless they’ve been patched for older vulnerabilities (CVE-2006-5051 and CVE-2008-4109).
Interestingly, OpenBSD systems remain unaffected, thanks to a security mechanism implemented in 2001.. While macOS and Windows might also be vulnerable, this has not been confirmed.
Recommended Actions
To protect against the regreSSHion vulnerability, consider the following steps:
- Update OpenSSH: Install the latest version (9.8p1) that addresses the vulnerability.
- Network Controls: Use firewalls and network segmentation to limit SSH access and prevent lateral movement within your network.
- Adjust Settings: If you can’t update immediately, set ‘LoginGraceTime’ to 0 in the sshd configuration file. Please note that this could make your server vulnerable to denial-of-service attacks.
A scan by Shodan and Censys shows over 14 million internet-exposed OpenSSH servers. Qualys confirmed that about 700,000 of these are vulnerable based on its data.
By keeping your systems updated and implementing strong network controls, you can significantly reduce the risk posed by the regreSSHion vulnerability. Stay vigilant and proactive to protect your valuable data and infrastructure.
Frequently Asked Questions (FAQs)
A: The regreSSHion vulnerability affects OpenSSH versions from 8.5p1 to just before 9.8p1, posing a risk of unauthorized access or other security breaches. It involves exploiting weaknesses in how memory is handled during SSH sessions.
Systems running OpenSSH versions between 8.5p1 and 9.8p1 are primarily at risk. Older versions are protected by previous patches, and systems running versions older than 4.4p1 should also be patched for known vulnerabilities like CVE-2006-5051 and CVE-2008-4109. While it has not been confirmed, macOS and Windows may also be vulnerable.
A: OpenBSD systems are not affected due to a security mechanism that was added in 2001, which mitigates the risk posed by the regreSSHion vulnerability.
A: To protect your system, you should:
- Update OpenSSH to the latest version (9.8p1) that addresses the vulnerability.
- Implement network controls such as firewalls and network segmentation to limit SSH access.
- Adjust SSH settings if you cannot update immediately by setting ‘LoginGraceTime’ to 0 in the sshd configuration file—though this comes with a risk of denial-of-service attacks.
A: Tools like Shodan and Censys can be used to scan and identify internet-exposed OpenSSH servers. Qualys has confirmed that around 700,000 out of more than 14 million OpenSSH servers detected by these tools are vulnerable.