Sunday, July 14, 2024

regreSSHion – OpenSSH RCE Vulnerability Impacts 700K Linux Systems

The Qualys Threat Research Unit has identified a newly discovered vulnerability in OpenSSH, dubbed “regreSSHion” (CVE-2024-6387).

This critical flaw, which allows unauthenticated remote code execution (RCE) as root, affects over 700,000 Linux systems exposed to the internet.

The regreSSHion vulnerability is a signal handler race condition in OpenSSH’s server (sshd) that can be exploited to execute arbitrary code with the highest privileges.

This flaw is particularly concerning because it does not require user interaction and affects OpenSSH’s default configuration.

This vulnerability is a regression of a previously patched issue (CVE-2006-5051) reintroduced in October 2020 with the release of OpenSSH 8.5p1.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

If exploited, regreSSHion could lead to a complete system takeover, allowing attackers to install malware, manipulate data, and create backdoors for persistent access.

This could facilitate network propagation, enabling attackers to compromise other vulnerable systems within an organization.

The vulnerability poses a significant risk as it allows attackers to bypass critical security mechanisms such as firewalls and intrusion detection systems, potentially leading to significant data breaches and leakage.

Exposed OpenSSH Instances

Qualys researchers used internet scanning services like Censys and Shodan to identify over 14 million potentially vulnerable OpenSSH server instances exposed to the internet.

Anonymized data from Qualys customer data revealed that approximately 700,000 external internet-facing instances are vulnerable, accounting for 31% of all internet-facing instances with OpenSSH in the Qualys global customer base.

The vulnerability arises from sshd’s SIGALRM handler calling various sensitive functions such as syslog() in an asynchronous way when an attempted connection fails to pass authentication within the LoginGraceTime period.

This can lead to heap corruption, which can be exploited to execute arbitrary code with root privileges. The flaw is particularly challenging to exploit due to its remote race condition nature, requiring multiple attempts for a successful attack.

Mitigation Steps

To mitigate the risk posed by regreSSHion, organizations are advised to:

  • Patch Management: Apply patches for OpenSSH immediately and ensure continuous update processes.
  • Enhanced Access Control: Restrict SSH access via network-based controls.
  • Network Segmentation and Intrusion Detection: Segregate networks and deploy monitoring systems to detect exploitation attempts.
  • Temporary Mitigation: If patches cannot be applied immediately, configure LoginGraceTime to 0 to prevent exploitation, although this exposes systems to potential denial-of-service.

While no active exploits have been seen in the wild, the potential impact of this flaw necessitates urgent action from system administrators to protect their systems.

How to Scan for regreSSHion Vulnerability

Organizations can use several tools to scan for the regreSSHion vulnerability (CVE-2024-6387) in their systems. Here are some of the most effective tools available:

1. CVE-2024-6387_Check Script

This is a lightweight and efficient tool designed specifically to identify servers running vulnerable versions of OpenSSH.

It supports rapid scanning of multiple IP addresses, domain names, and CIDR network ranges.

The script retrieves SSH banners without authentication and uses multi-threading for concurrent checks, significantly reducing scan times. The output provides a clear summary of the scanned targets, indicating which servers are vulnerable, not vulnerable, or have closed ports.

2. Qualys Vulnerability Management

Qualys offers a comprehensive vulnerability management tool that can scan for a wide range of vulnerabilities, including CVE-2024-6387. It provides extensive protection and is capable of aggregating and prioritizing cyber risks across all assets and attack vectors.

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files


Latest articles

mSpy Data Breach: Millions of Customers’ Data Exposed

mSpy, a widely used phone spyware application, has suffered a significant data breach, exposing...

Advance Auto Parts Cyber Attack: Over 2 Million Users Data Exposed

RALEIGH, NC—Advance Stores Company, Incorporated, a prominent commercial entity in the automotive industry, has...

Hackers Using ClickFix Social Engineering Tactics to Deploy Malware

Cybersecurity researchers at McAfee Labs have uncovered a sophisticated new method of malware delivery,...

Coyote Banking Trojan Attacking Windows Users To Steal Login Details

Hackers use Banking Trojans to steal sensitive financial information. These Trojans can also intercept...

Hackers Created 700+ Fake Domains to Sell Olympic Games Tickets

As the world eagerly anticipates the Olympic Games Paris 2024, a cybersecurity threat has...

Japanese Space Agency Spotted zero-day via Microsoft 365 Services

The Japan Aerospace Exploration Agency (JAXA) has revealed details of a cybersecurity incident that...

Top 10 Active Directory Management Tools – 2024

Active Directory Management Tools are essential for IT administrators to manage and secure Active...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles