New "regreSSHion" Vulnerability - CVE-2024-6387, Could Enable Remote Code Execution on Linux

Category: Vulnerability | Industry: Global | Sources: OpenSSH, Qualys & The Record

A newly discovered vulnerability in OpenSSH, identified as CVE-2024-6387 and dubbed "regreSSHion," has been spotlighted due to its potential to enable unauthenticated remote attackers to execute arbitrary code as root on glibc-based Linux systems. This critical flaw, discovered by Qualys researchers in May 2024, stems from a signal handler race condition within OpenSSH's server daemon (sshd). The condition manifests specifically when a client fails to authenticate within the predefined 'LoginGraceTime.' According to OpenSSH's official release, this vulnerability impacts a broad range of systems globally, affecting potentially over 700,000 internet-facing servers as estimated by Qualys.

The vulnerability — CVE-2024-6387 — is identified as a regression of CVE-2006-5051 and was inadvertently reintroduced in OpenSSH versions starting from 8.5p1 up to, but not including, 9.8p1. Versions prior to 4.4p1 are also vulnerable unless they have been patched for CVE-2006-5051 and CVE-2008-4109. It is important to note that OpenSSH versions from 4.4p1 up to, but not including, 8.5p1 are not affected due to a transformative patch that secured a previously unsafe function. To mitigate the risk posed by this vulnerability, systems operating on affected versions should be updated to version 9.8p1 or later, which contains the necessary fixes to address the regression.

Despite its severe implications, the practical exploitation of CVE-2024-6387 is fraught with challenges, which may limit its widespread abuse. According to Qualys, "This vulnerability is challenging to exploit due to its remote race condition nature, requiring multiple attempts for a successful attack. This can cause memory corruption and necessitate overcoming Address Space Layout Randomization (ASLR)." These factors introduce a layer of complexity that could deter exploitation, but they do not eliminate the risk. Further echoed in the reports by OpenSSH and researchers captured by The Record, successful exploitation is difficult due to the complex nature of the race condition. This condition requires precise timing, with OpenSSH detailing that successful exploitation has been demonstrated only under lab conditions on 32-bit Linux systems with ASLR, taking an average of 6-8 hours of continuous effort. For 64-bit systems, exploitation is theoretically possible but has not yet been demonstrated.

Further complicating the exploitation process is the requirement for sustained high-volume connection attempts to trigger the race condition reliably. This activity could potentially be noisy and detectable, thereby allowing defensive measures to thwart the attack before it succeeds. OpenSSH also notes that exploitation likelihood varies across system architectures and configurations, particularly highlighting that systems without ASLR or with modified OpenSSH configurations that disable per-connection ASLR re-randomization could be more susceptible.

In terms of mitigation, immediate steps recommended include upgrading to the latest version of OpenSSH that resolves the issue. For systems where immediate upgrades are not feasible, setting the 'LoginGraceTime' to zero is suggested to temporarily mitigate the vulnerability, although this adjustment could lead to potential denial-of-service risks. Organizations are also advised to implement network segmentation and stringent access controls to minimize the risk of exploitation and restrict potential lateral movement by attackers. The vulnerability—CVE-2024-6387, while severe, presents significant challenges that could limit its exploitability. Systems operating within the affected versions should still urgently upgrade to version 9.8p1 or later, which includes the necessary patches.