Nearly, 700,000 OpenSSH servers are vulnerable to RCE?

A new vulnerability named regreSSHion has been discovered in OpenSSH. This new vulnerability allows remote attackers to gain root privilege access on remote servers. The vulnerability which is found recently has been assigned to ID CVE-2024-6387. This vulnerability has the potential to compromise a full system where an attacker can execute arbitrary code with the highest privileges, resulting in complete system takeover.

Why this Vulnerability seems to be trending? – OpenSSH is a popular implementation of the SSH (secure shell) protocol, and it is integrated into most Linux distributions and also available in Microsoft OSs. I’m not exaggerating but I would like to mention here that sshd runs on millions of devices which makes the exploitation surface more larger. Researchers say, over 700,000 openSSH servers are vulnerable to this. And this is the reason for this vulnerability to grab attention from all the cybersecurity researchers and enthusiasts.

The threat researchers of Qualys also published the technical details of the vulnerability on Monday 1st July 2024 which states that, “We discovered a vulnerability (a signal handler race condition) in OpenSSH’s server (sshd): if a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd’s SIGALRM handler is called asynchronously, but this signal handler calls various functions that are not async-signal-safe (for example, syslog()). This race condition affects sshd in its default configuration. On investigation, we realized that this vulnerability is in fact a regression of CVE-2006-5051″

Click here to view full technical details published by Qualys

Interesting fact: This bug was already fixed by the OpenSSH team in 2006 (refer: CVE-2006-5051). However, the new bug is a regression of the existing bug due to some changes introduced in the code throughout the time. This is the reason to name this vulnerability as regreSSHion.

This article is basically to let you know about the cyber trends and attacks that are happening all over the world. However, I would like to add the mitigations suggested by the researchers. The suggested mitigation includes that, if updating immediately isn’t possible, administrators can temporarily reduce the login timeout to zero (set LoginGraceTime=0 in sshd_config). However, developers caution that this change increases the risk of DDoS attacks targeting the SSH server.