A critical vulnerability has been identified in OpenSSH’s server (sshd), affecting many glibc-based systems. Ironically named regreSSHion, it poses a risk of remote code execution (RCE) as root on the affected systems.
Overview
A critical security flaw, known as “regression” and cataloged under CVE-2024-6387, has been identified in OpenSSH. This vulnerability allows an unauthenticated attacker to execute arbitrary code and potentially obtain root access on the compromised system,
Vulnerability Details
- CVE ID: CVE-2024-6387
- Description: A signal handler race condition that allows unauthenticated Remote Code Execution (RCE) as root. This could enable threat actors to install malware, manipulate data, or create persistent backdoors upon compromising the system. The vulnerability is a regression emerging from a previously patched issue (CVE-2006-5051).
- Affected Versions:
- Old OpenSSH versions earlier than 4.4p1 are vulnerable unless patched for CVE-2006-5051 and CVE-2008-4109.
- Versions 4.4p1 up to before 8.5p1 are not vulnerable due to a patch for CVE-2006-5051.
- The vulnerability resurfaces in versions after 8.5p1 before 9.8p1.
Analysis
The exploit works by taking advantage of a signal handler in OpenSSH, which exposes an opportunity for some glibc Linux distributions to insert instructions into the heap while privileged execution is taking place. The attack involves identifying the location in the heap to insert a malicious payload, performing a fake key exchange process, and then using a timing attack to modify the heap at the exact moment privileged execution occurs.
Past Exploitation
Interestingly, the upstream source of OpenSSH, OpenBSD, has correctly handled this exploit condition since 2001 and was never vulnerable to regreSSHion due to differences in how the exploitable signal path is dealt with in OpenBSD. Most modern systems have some kind of mitigation preventing this exploit from being easily successful. As of now, the exploit is possible but not probable
Take Action
Organizations should:
- Patch: Ensure OpenSSH is updated to a version beyond 8.5p1.
- Monitor: Keep an eye on any suspicious activity related to SSH connections.
- Analyze: Leverage tools like Microsoft Defender to pinpoint and neutralize threats arising from this vulnerability
Stay vigilant and take necessary precautions to protect your systems against this critical security issue!
Sources: