Critical OpenSSH vulnerability could affect millions of servers
Exploitation against CVE-2024-6387, which Qualys nicknamed 'regreSSHion,' could let attackers bypass security measures and gain root access to vulnerable servers.
Qualys disclosed a critical OpenSSH vulnerability and warned that more than 14 million potentially vulnerable server instances are exposed to the internet.
In a blog post on Monday, Bharat Jogi, senior director of Qualys' Threat Research Unit, detailed an unauthenticated remote code execution vulnerability, tracked as CVE-2024-6387, discovered in OpenSSH's server on glibc-based Linux systems. Qualys determined that CVE-2024-6387 is a regression of a previously patched vulnerability, tracked as CVE-2006-5051, and could allow an unauthenticated attacker to execute remote code with root privilege.
OpenSSH software tools are widely used to help encrypt and secure communications such as file transfer, which has emerged as a popular target for attackers in recent years. Qualys described OpenSSH as a "critical tool for secure communication."
However, the broad use of OpenSSH now poses significant concerns. Qualys conducted Censys and Shodan searches that found more than 14 million internet-exposed OpenSSH servers that are potentially vulnerable to CVE-2024-6387, which the vendor nicknamed "regreSSHion."
"Anonymized data from Qualys CSAM 3.0 with External Attack Surface Management data reveals that approximately 700,000 external internet-facing instances are vulnerable. This accounts for 31% of all internet-facing instances with OpenSSH in our global customer base," Jogi wrote in the blog post.
Jogi added that more than 0.14% of vulnerable instances are running an OpenSSH version that's reached end of life. He also warned enterprises that CVE-2024-6387 affects OpenSSH versions earlier than 4.4p1 unless they are patched for CVE-2006-5051 and CVE-2008-4109.
Patching is crucial because Qualys discovered that exploitation could lead to full system compromise and let an attacker install malware, manipulate data and create backdoors to maintain persistence access to a victim environment.
"Moreover, gaining root access would enable attackers to bypass critical security mechanisms such as firewalls, intrusion detection systems, and logging mechanisms, further obscuring their activities. This could also result in significant data breaches and leakage, giving attackers access to all data stored on the system, including sensitive or proprietary information that could be stolen or publicly disclosed," the blog post read.
On the bright side, Qualys found that the vulnerability is "challenging to exploit" and requires multiple attempts to deploy a successful attack. Additionally, Jogi applauded OpenSSH's "exceptionally strong" track record in software security, despite regreSSHion.
Regression testing
Qualys stressed that this recent flaw shows problems that can arise when regression testing is not properly performed. CVE-2024-6387 is a regression of CVE-2006- 5051, which Jogi said typically indicates changes or updates made in subsequent software releases that inadvertently reintroduced a previously patching vulnerability.
"This incident highlights the crucial role of thorough regression testing to prevent the reintroduction of known vulnerabilities into the environment. This regression was introduced in October 2020 (OpenSSH 8.5p1)," the blog post read.
Jogi said it's likely that the vulnerability exists in both macOS and Windows machines. Enterprises can look for exploitation attempts by checking their logs for multiple lines of "Time before authentication."
Additionally, Qualys "urgently" advised enterprises to patch. Though the fix is part of a major update to OpenSSH, users can upgrade to the latest version released on Monday, which is 9.8p1, or apply a fix to older versions.
OpenSSH's release notes emphasized that the fixed version addressed the race condition in OpenSSH's server (sshd). The open source project labeled the flaw as critical, though no CVSS score has been assigned as of yet.
While OpenSSH highlighted Qualys' successful exploitation on 32-bit Linux/glibc systems and applauded the vendor for the discovery, it appears other versions may be susceptible as well.
"Exploitation on 64-bit systems is believed to be possible but has not been demonstrated at this time. It's likely that these attacks will be improved upon," OpenSSH wrote in the release notes. "Exploitation on non-glibc systems is conceivable but has not been examined."
Jake Williams, an infosec professional and faculty member at IANs research, noted in a post on X, formerly Twitter, that exploitation has only been proven against x86 versions and not x64 servers. "That's important because finding the right address to return to in x64 is exponentially harder in x64 than x86," Williams wrote on X.
Saeed Abbasi, product manager and vulnerability researcher at Qualys Threat Research Unit, told TechTarget Editorial that the company has not yet determined if x64 systems are vulnerable to CVE-2024-6387.
"We have initiated efforts on developing an amd64 exploit, acknowledging the increased complexity due to the enhanced ASLR. Shortly after commencing our amd64 project, we identified a critical bug report in OpenSSH's public Bugzilla, highlighting a deadlock issue in sshd's SIGALRM handler," Abbasi said in an email. "Given the potential severity, we prioritized reaching out to OpenSSH's development team immediately, informing them that this deadlock stems from an exploitable vulnerability. Consequently, we have temporarily suspended our amd64 efforts to focus on crafting this advisory."
Abbasi added that while Qualys does not have visibility into current patching rates, most distributions with OpenSSH are in the process of releasing the patch. "Once they do, we will be able to provide a more comprehensive update regarding the patch deployment rate," he said.
According to Tenable Research, OpenSSH is deployed in over 67% of organizations' environments. "Based on Tenable's telemetry data, OpenSSH is among the 10 most popular products in use, demonstrating a potential for a large attack surface. However, it's important to note that exploitation is difficult and requires winning a race condition," Tenable said in a statement provided to TechTarget Editorial. "Despite the difficulty of exploitation, with widespread use of OpenSSH, immediate patching is recommended to ensure your organization is protected from this threat. If immediate patching is not possible, increased monitoring of SSH traffic for priority endpoints is recommended."
Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.