July 1, 2024 at 09:39AM
A new OpenSSH vulnerability, known as “regreSSHion,” allows unauthenticated remote attackers to gain root privileges on glibc-based Linux systems. If exploited, it could lead to severe consequences such as system takeover and data manipulation. The vulnerability affects OpenSSH servers on Linux from version 8.5p1 up to version 9.8p1 and can be mitigated by applying the latest available update or using network-based controls. Impacted systems include over 14 million internet-exposed OpenSSH servers.
The meeting notes provide information about a new OpenSSH unauthenticated remote code execution (RCE) vulnerability called “regreSSHion” that gives root privileges on glibc-based Linux systems. The vulnerability, identified as CVE-2024-6387, allows unauthenticated remote attackers to execute arbitrary code as root. It is noted that although the vulnerability is severe, it is difficult to exploit and may require multiple attempts to achieve the necessary memory corruption.
To address or mitigate the regreSSHion vulnerability in OpenSSH, the following actions are recommended:
1. Apply the latest available update for the OpenSSH server (version 9.8p1), which fixes the vulnerability.
2. Restrict SSH access using network-based controls such as firewalls and implement network segmentation to prevent lateral movement.
3. If the OpenSSH server cannot be updated immediately, set the ‘LoginGraceTime’ to 0 in the sshd configuration file, but note that this can expose the server to denial-of-service attacks.
It is also noted that OpenBSD systems are not impacted by this flaw, and while the vulnerability may exist on macOS and Windows, its exploitability on these systems hasn’t been confirmed. Additionally, scans from Shodan and Censys reveal over 14 million internet-exposed OpenSSH servers, with Qualys confirming a vulnerable status for 700,000 instances based on its CSAM 3.0 data.