A new vulnerability in openssh used by most Linux servers has been announced today. It allows a remote attacker to gain root access on all unpatched openssh servers.
A new OpenSSH vulnerability: CVE-2024-6387 has been announced. It exploits a number of not-safe-for async functions which are run (asynchronously) if the client doesn’t authenticate by the end of LoginGraceTime timeout. This puts OpenSSH in an inconsistent state which can further be exploited. For more details refer to the CVE link above.
This vulnerability is named regreSSHion. Because every kill-a-company bug has to have a killer name 🙂 . By current estimates it affects some 20-30% of publicly facing Linux OpenSSH servers. Simply said this is a huge threat to most of the internet infrastructure. For older systems it takes around 6-8 hours to gain root access, with amd64 based systems it willt ake somewhere between 6h and one week (assuming no further improvement on the attack by malicious actors).
Vulnerable versions:
The following versions of OpenSSH server are voulnerable:
- < 4.4p1 is vulnerable to this signal handler race condition,
- if not backport-patched against CVE-2006-5051, or not patched against
- CVE-2008-4109, which was an incorrect fix for CVE-2006-5051;
- 4.4p1 – 8.5p1 NOT VULNERABLE
- 8.5p1 <= OpenSSH < 9.8p1 is vulnerable again
How can i check:
On a given linux (debian-like) system: sshd -V
or ssh -V
Why two? sshd
is OpenSSH-server, while ssh
is the client. This vulnerability only affects the server, if there is no server so we’re OK. Commands above might not work on non-debian distros which may have different command for sshd).
Example output (vulnerable):
OpenSSH_8.6p1, OpenSSL 1.0.2k-fips
Alternatively connect to a server using telnet or netcat: telnet myserver.com 22
Trying 369.42.369.43...
Connected to myserver.com.
Escape character is '^]'.
SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.7
If version numbers are between 4.4 and 8.5 you’re not vulnerable to this exploit.
Mitigations:
Updates by OpenSSH team and major distros are already out or in progress. Here’s a few:
If for some reason your linux instance cannot be upgraded, or no upgrades are available you can disable LoginGraceTime by setting in LoginGraceTime=0 in /etc/ssh/sshd_config and restarting your OpenSSH-server. Be mindful that this will expose you to a denial-of service attack based on CVE-2010-5107. But DoS is a lot easier to deal with than a remote root takeover, and in the long run probably cheaper!
For more details keep your eyes peeled to the Qualys blog (the company whose researchers found the vulnerability) and the NVD’s tracker which has helpful links to disto-specific resources.