The vulnerability, tracked as CVE-2024-6387 and called regreSSHion, was discovered by the threat research division of cybersecurity firm Qualys. It is described as being as serious and critical as the 2021 Log4Shell vulnerability.
The company’s researchers found that the OpenSSH server process ‘sshd’ is affected by a signal handler race condition allowing unauthenticated remote code execution with root privileges on glibc-based Linux systems. It’s unclear if exploitation on Windows and macOS systems is possible. Exploitation of the RegreSSHion vulnerability could lead to a complete system takeover, allowing the installation of malware and the creation of a backdoor.
OpenSSH is designed to provide a secure channel over an insecure network in a client-server architecture, and is widely used by enterprises for remote server management and secure data communication. According to Qualys, searches using Shodan and Censys found that there are more than 14 million potentially vulnerable OpenSSH instances accessible directly from the network. Customer data from Qualys shows that approximately 700,000 network-exposed systems appear to be vulnerable to attack. The security company said CVE-2024-6387 is a regression of a previously patched vulnerability, CVE-2006-5051. Specifically, with the release of OpenSSH 8.5p1 in October 2020, the vulnerability resurfaced. Qualys pointed out that due to the mechanism introduced in 2001, the OpenBSD system was not affected.
Recently released the release of the 9.8P1 version and the vulnerability was recently deleted by chance. Organizations that cannot upgrade immediately can apply patches that will soon be released by vendors.
Qualys has shared the technical details of regreSSHion, but the non-shared proof-of-concept (PoC) code to prevent abuse. Instead, the company provides several indicators of compromise (IoC) to help organizations detect potential attacks.