Critical regreSSHion Vulnerability Puts Most Linux Distributions at Risk

Developers of OpenSSH have fixed a critical vulnerability that could allow remote code execution with root privileges on Linux systems based on glibc. The flaw was discovered by security experts at Qualys.

The vulnerability, identified as CVE-2024-6387 and classified as a Race Condition, is found in the server component of OpenSSH, known as sshd, which listens for connections from any client application. OpenSSH is a suite of tools that provides secure remote access using the SSH encryption protocol. This suite is included in all Linux systems based on glibc, which means nearly all major distributions are affected (except Alpine Linux, which uses libc). BSD systems are not affected by this vulnerability. Qualys is still investigating whether macOS or Windows operating systems are impacted.

Qualys has identified at least 14 million potentially vulnerable OpenSSH server instances accessible via the Internet. The discovered bug, named “regreSSHion”, is a regression of an 18-year-old vulnerability (CVE-2006-5051, CVSS score: 8.1) that had previously been fixed. In this context, a regression means that a previously patched bug reappears in a later software version, usually due to changes or updates that inadvertently reintroduce the issue. In this case, the bug was reintroduced in October 2020 with the release of OpenSSH 8.5p1.

Technical Details and Exploitation

Successful exploitation of the vulnerability was demonstrated on 32-bit Linux/glibc systems with Address Space Layout Randomization (ASLR) enabled. In laboratory conditions, the attack requires an average of 6-8 hours of continuous connections up to the server’s maximum capacity. There have been no reports of regreSSHion being exploited in the wild so far.

According to Qualys, if a client fails to authenticate within 120 seconds (a setting defined by LoginGraceTime), the sshd SIGALRM handler is called asynchronously in a way that is not safe for async-signal operations. The end result of exploitation is complete system compromise, allowing attackers to execute arbitrary code with the highest privileges, bypass security mechanisms, steal data, and even maintain persistent access.

Affected Versions and Mitigation

• Vulnerable versions: 8.5p1 through 9.7p1
• Versions prior to 4.4p1 are also vulnerable to the race condition if they have not been patched for CVE-2006-5051 and CVE-2008-4109.
• OpenBSD systems are not affected, as they include a security mechanism that blocks the vulnerability.
• The fix has been implemented in version 9.8p1.

Researchers urge organizations to immediately apply updates, reconfigure sshd, and segment networks where possible. If updating or recompiling sshd is not possible, set the LoginGraceTime parameter to 0 in the configuration file. While this may make sshd vulnerable to DoS attacks, it prevents the risk of remote code execution.