A previously patched vulnerability in the OpenSSH server could lead to a complete network takeover if not addressed.
Researchers at Qualys Threat Research Unit (TRU) have discovered a not-so-new vulnerability in the OpenSSH server that could compromise the entire system.
The vulnerability, called regreSSHion but more formally CVE-2024-6387, has been seen (and patched) before.
CVE-2006-5051 was first reported in 2006 and was patched in later versions of OpenSSH, but appears to have been reintroduced into the code in version 8.5p1, released in October 2020. This is known as a regression.
“A regression in this context means that a bug, once fixed, has reappeared in a subsequent software release, usually due to changes or updates that inadvertently reintroduce the problem,” TRU researchers said in a blog post.
The vulnerability is a race condition of the signal handler in the OpenSSH server, and while the TRU admits that this makes it difficult to exploit, a successful exploitation could have dire consequences.
“This vulnerability, if exploited, could compromise the entire system, where an attacker can execute arbitrary code with the highest privileges, resulting in a complete system takeover, installing malware, manipulating data, and creating rear doors for persistent access,” he said. TRU said.
“It could facilitate network propagation, allowing attackers to use a compromised system as a foothold to traverse and exploit other vulnerable systems within the organization.”
Gaining root access would also allow a threat actor to bypass security measures, possibly leading to “major data breaches and leaks.”
CVE-2024-6387 is present in several versions of OpenSSH:
- OpenSSH versions earlier than 4.4p1, unless patched for CVE-2006-5051 and CVE-2008-4109.
- Versions 4.4p1 up to and including 8.5p1 are not vulnerable.
- The vulnerability reappears in versions 8.5p1 through 9.8p1, but not included.
According to Shodan and Censys analyses, there are potentially more than 14 million vulnerable OpenSSH server instances with Internet access. Qualys internal data suggests that 700,000 of its customers are vulnerable – 31 per cent of its total number of customers.
The TRU suggests patching immediately and prioritizing updates, limiting SSH access through network controls, and initiating network segmentation and intrusion detection.
Speaking about the difficulty of actually exploiting the vulnerability, Tomer Schwartz, co-founder and chief technology officer of cybersecurity startup Dazz, said it was a really complicated proposition.
“The main thing we are seeing with this race condition vulnerability is that, although a proof-of-concept exploit already exists, exploitation is mostly possible in a ‘lab environment’. It is a statistical exploit in nature: it takes a number of number of attempts to gain the race condition and successfully execute arbitrary code, and there are quite a few obstacles that attackers must overcome,” Schwartz said.
“The most well-known exploit takes more than four hours to execute, even in the best of cases. Organizations are advised to try to limit access to SSH servers and monitor suspicious activity on the network.”
UPDATED 03/0724 to add comments from Dazz.