Over 14 million OpenSSH instances exposed to the internet are now at risk following the discovery of a critical vulnerability in OpenSSH’s server, according to a new analysis by Qualys.
The remote unauthenticated code execution (RCE) vulnerability (CVE-2024-6387) could lead to full system compromise where an attacker can execute arbitrary code with the highest privileges. This could result in:
- Complete system takeover
- Installation of malware
- Data manipulation
- Creation of backdoors for persistent access
- Network propagation, allowing attackers to use the compromised system as a foothold to traverse and exploit other vulnerable systems within the organization
The researchers also warned that gaining root access via this CVE would allow threat actors to further obscure their activities by bypassing critical security mechanisms such as firewalls, intrusion detection systems and logging mechanisms.
The vulnerability, dubbed regreSSHion, has been rated severe and critical, especially for enterprises that rely heavily on OpenSSH for remote server management.
Read here: NVD Leaves Exploited Vulnerabilities Unchecked
A Widespread Vulnerability
OpenSSH is a connectivity tool for remote sign-in that uses the Secure Shell (SSH) protocol, which is used to enable secure communication over unsecured networks.
The tool supports various encryption technologies and is standard on multiple Unix-like systems, including macOS and Linux. This particular vulnerability impacts glibc-based Linux systems.
OpenBSD systems are unaffected by the vulnerability due to a secure mechanism developed by OpenBSD in 2001.
Qualys said it has identified over 14 million potentially vulnerable OpenSSH server instances exposed to the Internet, based on searches using Censys and Shodan.
Approximately 700,000 external internet-facing instances are vulnerable across Qualys’ global customer base.
The RCE is a regression of the previously patched vulnerability CVE-2006-5051, which was reported in 2006. A regression can occur when a previously fixed flaw reappears in a subsequent software release, typically due to changes or updates that inadvertently reintroduce the issue.
The researchers noted that the vulnerability is challenging to exploit due to its remote race condition nature requiring multiple attempts for a successful attack. This can cause memory corruption and necessitates overcoming Address Space Layout Randomization (ASLR).
However, advancements in deep learning could significantly increase the exploitation rate by giving attackers a “substantial advantage” in leveraging such vulnerabilities.
How to Prevent Exploitation
OpenSSH versions earlier than 4.4p1 are vulnerable to compromise due to this flaw, unless they are patched for CVE-2006-5051 and CVE-2008-4109.
The vulnerability also resurfaces in v8.5p1 up to, but not including, 9.8p1, due to the accidental removal of a critical component in a function.
Versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable due to a transformative patch for CVE-2006-5051.
Organizations using the impacted versions have been urged to take the following actions to mitigate the risk of attack via this flaw:
- Quickly apply available patches for OpenSSH and prioritize ongoing update processes
- Use network-based controls to limit SSH access, minimizing attack risks
- Segment networks to restrict unauthorized access and lateral movements within critical environments
- Deploy systems to monitor and alert on usual activities indicative of exploitation attempts