OpenSSH 9.8 Fixes Critical sshd Vulnerability

posted by Rianne Schestowitz on Jul 02, 2024,
updated Jul 12, 2024

Quoting: OpenSSH 9.8 Fixes Critical sshd Vulnerability —

Today, the OpenSSH project announced the release of OpenSSH 9.8, available for download on its official mirrors. This release patched a critical issue (CVE-2024-6387) found in Portable OpenSSH versions 8.5p1 to 9.7p1.

The vulnerability, potentially allowing arbitrary code execution with root privileges, particularly affected 32-bit Linux systems with ASLR.

Although the exploit has not been demonstrated on 64-bit systems, the possibility remains, heightening the risk for systems without effective address space layout randomization (ASLR).

Read on

Update

A couple more:

• SSH "regreSSHion" Remote Code Execution Vulnerability in OpenSSH., (Mon, Jul 1st)

• Millions of OpenSSH Servers Potentially Vulnerable to Remote regreSSHion Attack

  Millions of OpenSSH servers could be vulnerable to unauthenticated remote code execution due to a vulnerability tracked as regreSSHion and CVE-2024-6387.

More here. (CVE-2006-5051 and CVE-2024-6387 Patched in OpenSSH)

More here:

• Pre-auth RCE to root in OpenSSH server: 700,000 instances exposed

  A critical vulnerability in certain versions of the OpenSSH server can be exploited remotely by an unauthenticated attacker to gain root.

  The race condition vulnerability, allocated CVE-2024-6387 and affecting most Glibc-based Linux versions, was identified and reported by Qualys.

  A technical write-up of bug, dubbed "regreSSHion" is here.

A couple more:

• 'Critical' vulnerability in OpenSSH uncovered, affects almost all Linux systems

  Researchers at the Qualys Threat Research Unit (TRU) have unearthed discovered a critical security flaw in OpenSSH's server (sshd) in glibc-based Linux systems.

• 'RegreSSHion' Bug Threatens Takeover of Millions of Linux Systems

  An unauthenticated remote code execution (RCE) vulnerability in the OpenSSH secure communications suite opens millions of Linux-based systems to takeover as root.

  Dubbed "RegreSSHion" by researchers who discovered it at the Qualys Threat Research Unit (TRU), the bug (a 8.1 CVSS score) is more specifically a signal handler race condition in OpenSSH’s server (sshd). It affects glibc-based Linux systems running sshd in its default configuration; it may also exist in Mac and Windows environments (though exploitability for those hasn't been proven yet).

  "This vulnerability, if exploited, could lead to full system compromise where an attacker can execute arbitrary code with the highest privileges, resulting in a complete system takeover, installation of malware, data manipulation, and the creation of backdoors for persistent access," read to a TRU posting on July 1.

And 2 more again:

• New regreSSHion OpenSSH RCE bug gives root on Linux servers

  A new OpenSSH unauthenticated remote code execution (RCE) vulnerability dubbed "regreSSHion" gives root privileges on glibc-based Linux systems.

  OpenSSH is a suite of networking utilities based on the Secure Shell (SSH) protocol. It is extensively used for secure remote login, remote server management and administration, and file transfers via SCP and SFTP.

• Critical OpenSSH vulnerability threatens millions of Linux systems

  Ryan Daws is a senior editor at TechForge Media with over a decade of experience in crafting compelling narratives and making complex topics accessible. His articles and interviews with industry leaders have earned him recognition as a key influencer by organisations like Onalytica. Under his leadership, publications have been praised by analyst firms such as Forrester for their excellence and performance. Connect with him on X (@gadget_ry) or Mastodon (@gadgetry@techhub.social)

And another:

• New OpenSSH Vulnerability Could Lead to RCE as Root on Linux Systems

  OpenSSH maintainers have released security updates to contain a critical security flaw that could result in unauthenticated remote code execution with root privileges in glibc-based Linux systems.

  The vulnerability, codenamed regreSSHion, has been assigned the CVE identifier CVE-2024-6387. It resides in the OpenSSH server component, also known as sshd, which is designed to listen for connections from any of the client applications.

  "The vulnerability, which is a signal handler race condition in OpenSSH's server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems," Bharat Jogi, senior director of the threat research unit at Qualys, said in a disclosure published today. "This race condition affects sshd in its default configuration."

One last item for today:

• OpenSSH Critical Vulnerability Exposes Millions of Linux Servers to Arbitrary Code Attacks

  A critical vulnerability has been discovered in OpenSSH, a widely used implementation of the SSH protocol, which could potentially expose millions of Linux systems to arbitrary code execution attacks.

• PoC Exploit Published for Linux Kernel Privilege Escalation Flaw

  A critical use-after-free vulnerability has been discovered in the Linux kernel’s netfilter subsystem.

  This vulnerability could potentially allow local, unprivileged users with CAP_NET_ADMIN capability to escalate their privileges.

2 more today:

• ‘RegreSSHion’ bug raises alarms but experts question chances of widespread exploitation

  While most experts said concerns about the bug were justified, others cast doubt on its severity.

  Moore noted the exploits for the vulnerability appear to only be viable for a certain kind of Linux server, most of which are relegated to 15-year-old systems.

• Researchers uncover rare, difficult-to-exploit OpenSSH vulnerability

  “Qualys came up with situations through which they were able to take a thing that may take weeks to a thing that could take hours, but it still relied upon an intentionally fragile environment for it to execute,” Arasaratnam said, noting that finding a bug in a program thought by many to be “rock solid” is impressive work.

  OpenSSH noted that it took them eight hours of continuous connection before they were able to replicate a successful attack.

Two more:

• RCE vulnerability in OpenSSH – RegreSSHion (CVE-2024-6387)

  TL;DR The Qualys Threat Research Unit has found a high-severity vulnerability, filed under CVE-2024-6387, affects OpenSSH (Open Secure Shell), a networking utility often used for remote server management [...]

• Over 14M servers may be vulnerable to OpenSSH's regreSSHion RCE flaw. Here's what you need to do

  OpenSSH, the bedrock of secure GNU/Linux network access, has a nasty security flaw.

A couple more:

• “RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux

  Researchers have warned of a critical vulnerability affecting the OpenSSH networking utility that can be exploited to give attackers complete control of Linux and Unix servers with no authentication required.

  The vulnerability, tracked as CVE-2024-6387, allows unauthenticated remote code execution with root system rights on Linux systems that are based on glibc, an open source implementation of the C standard library. The vulnerability is the result of a code regression introduced in 2020 that reintroduced CVE-2006-5051, a vulnerability that was fixed in 2006. With thousands, if not millions, of vulnerable servers populating the Internet, this latest vulnerability could pose a significant risk.

• Latest OpenSSH Vulnerability Might Impact 14M Linux Systems

  The vulnerability is a regression of the previously patched vulnerability CVE-2006-5051, which was reported in 2006. A regression in this context means that a flaw, once fixed, has reappeared in a subsequent software release, typically due to changes or updates that inadvertently reintroduce the issue.

Last pair of links for now:

• Cybersecurity News: 14 million Linux systems threatened, critical patch for Juniper routers, millions impacted by Prudential breach

  Researchers at Qualys have uncovered a critical vulnerability, “regreSSHion” (CVE-2024-6387), which some experts are comparing to the notorious Log4Shell in terms of potential severity. This flaw, with a CVSS score of 8.1, affects glibc-based Linux systems running sshd in its default configuration. Exploiting this vulnerability could allow attackers to completely take over systems, install malware, manipulate data, and create backdoors for persistent access. The vulnerability poses a severe threat, enabling unauthorized remote code execution with root privileges, leaving over 14 million servers potentially vulnerable.

• OpenSSH: An RCE run as Root puts 14 million instances on Linux at risk

  A recent critical vulnerability in OpenSSH, identified as CVE-2024-6387, could allow unauthenticated remote code execution with root privileges on glibc-based Linux systems. This flaw resides in the server component of OpenSSH (sshd) and is due to a race condition in the signal handler. The vulnerability was reintroduced in October 2020 in OpenSSH version 8.5p1, partially fixing an 18-year-old problem (CVE-2006-5051).

One more:

• Linux Users Beware: New OpenSSH Vulnerability Could Lead to System Takeover

  The new bug is a Remote Unauthenticated Code Execution (RCE) vulnerability in OpenSSH’s server (SSHD) in glibc-based Linux systems. The CVE assigned is CVE-2024-6387. It’s a signal handler race condition in OpenSSH’s server and affects SSHD’s default configuration.

  This vulnerability allows unauthenticated remote code execution and poses significant security risks, allowing attackers to execute remote code without authentication on vulnerable servers.

  It could result in a full system compromise, where attackers perform a complete system takeover, including creating a backdoor for ongoing access. Hackers could deploy further malware or use the compromised system to exploit and gain access to other vulnerable systems within an organization, bypassing firewalls, logging mechanisms, and other security to obscure their activities. This could lead to a significant data breach or leak, potentially exposing sensitive data.

Schneier:

• New Open SSH Vulnerability

  It’s a serious one:

  The vulnerability, which is a signal handler race condition in OpenSSH’s server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based GNU/Linux systems; that presents a significant security risk. This race condition affects sshd in its default configuration.

  This vulnerability, if exploited, could lead to full system compromise where an attacker can execute arbitrary code with the highest privileges, resulting in a complete system takeover, installation of malware, data manipulation, and the creation of backdoors for persistent access.

Two more:

• 14 million OpenSSH servers exposed to the internet via regression flaw

  In its security analysis, the Qualys researchers identified that this vulnerability is a regression of CVE-2006-5051, a vulnerability first reported in 2006, which is why they named it regreSSHion. A regression happens when after a flaw gets fixed, it reappears in a subsequent software release, typically because of changes or updates that inadvertently reintroduce the issue. The regression itself was first introduced in October 2020 following code changes. The researcher also pointed out that this incident highlights the crucial role of thorough regression testing to prevent the reintroduction of known vulnerabilities into the environment.

• What you need to know about regreSSHion: an OpenSSH server remote code execution vulnerability (CVE-2024-6387)

  It should be noted that the researchers suspect that an unrelated patch only included in the Ubuntu 23.10 and 24.04 LTS releases prevents the service from being exploitable; however, we still advise that the updated package be installed.

Late and related:

• regreSSHion OpenSSH Flaw: Potential Exploitation Attempts Seen, but Mass Attacks Unlikely

  Exploitation of CVE-2024-6387 is not a straightforward task. Qualys explained that in its experiments it took roughly 10,000 tries to win the race condition required for exploitation, taking between several hours and one week to obtain a remote root shell.

  Tomer Schwartz, co-founder and CTO of Dazz, highlighted that exploitation is mostly possible in a lab setting.

A couple of very late ones:

• The regreSSHion (CVE-2024-6387) Bug Is Patched In OpenSSH 9.8

• Cyber threat concerns heightened following Linux vulnerability

  A critical vulnerability has been discovered in OpenSSH affecting almost all Linux systems, further accentuating the rise of security vulnerabilities for every industry and the need to further protect critical infrastructure.

  Sylvain Cortes, VP Strategy at Hackuity, explained that this OpenSSH vulnerability could enable unauthenticated remote code execution with root privileges, posing severe risks such as malware deployment, establishment of backdoors, and exfiltration of sensitive data.

  "Virtually all Linux distributions, except for Alpine Linux, are vulnerable," Cortes said. He stressed that vendors are releasing patches, and security teams must prioritise implementing these updates to mitigate potential exploits. "With 14 million OpenSSH systems potentially impacted, identifying and prioritising these specific systems in your own organisation is mission-critical," he added.

2 more of these:

• Harisfazillah Jamel: Critical OpenSSH Vulnerability (CVE-2024-6387): Please Update Your Linux

  Critical OpenSSH Vulnerability (CVE-2024-6387): Please Update Your Linux

• This Week In Security: Hide Yo SSH, Polyfill, And Packing It Up

  The big news this week was that OpenSSH has an unauthorized Remote Code Execution exploit. Or more precisely, it had one that was fixed in 2006, that was unintentionally re-introduced in version 8.5p1 from 2021. The flaw is a signal handler race condition, where async-unsafe code gets called from within the SIGALARM handler. What does that mean?

Last for now:

• Critical OpenSSH vulnerability could affect millions of servers

  Exploitation against CVE-2024-6387, which Qualys nicknamed 'regreSSHion,' could let attackers bypass security measures and gain root access to vulnerable servers.

3 more:

• CVE-2024-6387: New OpenSSH RegreSSHion Vulnerability Gives Hackers Root Access on Linux Servers – 700,000+ Linux Boxes Potentially at Risk

  Labeled as CVE-2024-6387, the recently discovered vulnerability in OpenSSH has become a serious cause for concern among Linux servers. OpenSSH is a collection of networking tools built on the Secure Shell (SSH) protocol. It is widely utilized to secure remote logins, manage and administer remote servers, and transfer files through SCP and SFTP.

  Nicknamed as the “RegreSSHion Bug”, Researchers at Qualys initially identified the vulnerability in May 2024. This flaw permits remote code execution (RCE), which can lead to attackers obtaining root access to the system.

• 2024-07-03 [Older] [Bug 3706] Support upgrading sshd without restarting the server

• 2024-07-03 [Older] Over 14 Million Servers May Be Vulnerable To OpenSSH's 'RegreSSHion' RCE Flaw

Linuxiac:

• Fedora and RHEL Users Alerted to OpenSSH Vulnerability

  A newly disclosed vulnerability in OpenSSH, CVE-2024-6409, has raised concerns across multiple Linux distributions using glibc. The security flaw, which could potentially allow remote code execution, was discovered during a review of findings by the Qualys Security team.

LWN (related, not the same):

• Another OpenSSH remote code execution vulnerability

  Alexander "Solar Designer" Peslyak has disclosed another OpenSSH vulnerability that can be exploited for remote code execution, but only on distributions that have applied a patch to add auditing support.

More:

• New OpenSSH Flaw (CVE-2024-6409) Hits Red Hat Enterprise Linux 9

  A new security vulnerability has been discovered within select versions of the OpenSSH secure networking suite, potentially exposing systems to remote code execution (RCE) risks.

  Tracked under CVE-2024-6409 with a CVSS score of 7.0, this OpenSSH vulnerability affects versions 8.7p1 and 8.8p1 of OpenSSH, specifically those shipped with Red Hat Enterprise Linux 9. Security researcher Alexander Peslyak, widely known as Solar Designer, discovered the vulnerability during a comprehensive review following the disclosure of CVE-2024-6387, also known as RegreSSHion.