OpenSSH is a suite of networking utilities based on the Secure Shell protocol.
It is extensively used for secure remote login, remote server management and administration, and file transfers via SCP and SFTP. The flaw, discovered by researchers at Qualys in May 2024, and assigned the identifier CVE-2024-6387, is due to a signal handler race condition in sshd that allows unauthenticated remote attackers to execute arbitrary code as root.
Exploitation of regreSSHion can have severe consequences for the targeted servers, potentially leading to complete system takeover.
Despite the flaw's severity, Qualys says regreSSHion is hard to exploit and requires multiple attempts to achieve the necessary memory corruption.
It's noted that AI tools may be used to overcome the practical difficulties and increase the successful exploitation rate.
Qualys has also published a more technical write-up that delves deeper into the exploitation process and potential mitigation strategies.
The regreSSHion flaw impacts OpenSSH servers on Linux from version 8.5p1 up to, but not including 9.8p1. Versions 4.4p1 up to, but not including 8.5p1 are not vulnerable to CVE-2024-6387 thanks to a patch for CVE-2006-5051, which secured a previously unsafe function.
Versions older than 4.4p1 are vulnerable to regreSSHion unless they are patched for CVE-2006-5051 and CVE-2008-4109.
Qualys also notes that OpenBSD systems are not impacted by this flaw thanks to a secure mechanism introduced back in 2001.
The security researchers also note that while regreSSHion likely also exists on macOS and Windows, its exploitability on these systems hasn't been confirmed.
A separate analysis is required to determine if those operating systems are vulnerable.
Apply the latest available update for the OpenSSH server, which fixes the vulnerability.
Restrict SSH access using network-based controls such as firewalls and implement network segmentation to prevent lateral movement.
If the OpenSSH server cannot be updated immediately, set the 'LoginGraceTime' to 0 in the sshd configuration file, but note that this can expose the server to denial-of-service attacks.
Scans from Shodan and Censys reveal over 14 million internet-exposed OpenSSH servers, but Qualys confirmed a vulnerable status for 700,000 instances based on its CSAM 3.0 data.
Over 50,000 Tinyproxy servers vulnerable to critical RCE flaw.
CosmicSting flaw impacts 75% of Adobe Commerce, Magento sites.
VMware fixes critical vCenter RCE vulnerability, patch now.
Widely used modems in industrial IoT devices open to SMS attack.
PHP fixes critical RCE flaw impacting all versions for Windows.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 01 Jul 2024 13:40:16 +0000