CVSS 8.1 HIGH (Provisional)
A significant vulnerability has been identified in OpenSSH’s server (sshd) in glibc-based Linux systems. The vulnerability, a signal handler race condition in OpenSSH’s server (sshd), poses a significant security risk by allowing unauthenticated remote code execution (RCE) as root on glibc-based Linux systems. This issue impacts sshd in its default configuration.
According to data from Censys and Shodan, there are over 14 million OpenSSH server instances which are exposed to the wider internet and therefore potentially vulnerable.
This vulnerability is a regression of the previously patched CVE-2006-5051, reported in 2006. In this context, a regression means that a flaw once fixed has reappeared in a subsequent software release, typically due to changes or updates that inadvertently reintroduce the issue. As such, the vulnerability has been dubbed regreSSHion.
Researchers at Qualys have been able to develop a working, proof-of-concept exploit for the regreSSHion vulnerability.
Affected versions
- OpenSSH versions earlier than 4.4p1 are vulnerable to this signal handler race condition unless they are patched for CVE-2006-5051 and CVE-2008-4109.
- Versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable due to a transformative patch for CVE-2006-5051, which made a previously unsafe function secure.
- The vulnerability resurfaces in versions from 8.5p1 up to, but not including, 9.8p1 due to the accidental removal of a critical component in a function.
- x86 systems have been validated as vulnerable, x64 are likely to be vulnerable but this has yet to be validated.
OpenBSD systems are unaffected by this bug, as OpenBSD developed a secure mechanism in 2001 that prevents this vulnerability.
Impact
If exploited, this vulnerability could lead to a full system compromise, allowing an attacker to execute arbitrary code with the highest privileges. This would result in a complete system takeover, enabling the installation of malware, data manipulation, and the creation of backdoors for persistent access. It could also facilitate network propagation, allowing attackers to use the compromised system as a foothold to exploit other vulnerable systems within the organisation.
Gaining root access would enable attackers to bypass critical security mechanisms such as firewalls, intrusion detection systems, and logging mechanisms, further obscuring their activities. This could lead to significant data breaches, exposing all data stored on the system, including sensitive or proprietary information that could be stolen or publicly disclosed.
Despite its potential impact, this vulnerability is challenging to exploit due to its remote race condition nature, requiring multiple attempts for a successful attack. Exploiting it can cause memory corruption and necessitates overcoming Address Space Layout Randomization (ASLR). However, advancements in deep learning may significantly increase the exploitation rate, potentially giving attackers a substantial advantage in leveraging such security flaws.
Mitigation
The following steps should be considered to mitigate potential risks:
- Patch Management: Urgently apply available patches for OpenSSH and prioritise ongoing update processes.
- Enhanced Access Control: Limit SSH access through network-based controls to minimise the attack surface.
- Network Segmentation and Intrusion Detection: Divide networks to restrict unauthorised access and lateral movements within critical environments and deploy systems to monitor and alert on unusual activities indicative of exploitation attempts.