RegreSSHion Vulnerability Exposes Millions of Linux Servers to Remote Code Execution

A newly discovered vulnerability in OpenSSH, named “regreSSHion” and tracked as CVE-2024-6387, poses a serious risk to glibc-based Linux servers, allowing remote attackers to gain root privileges. OpenSSH, a critical suite for secure network operations including remote login and file transfers, has been identified to have a significant flaw stemming from a signal handler race condition in sshd. This vulnerability could potentially allow an attacker to execute arbitrary code with the highest system privileges.

The issue arises when the sshd’s SIGALRM handler, triggered if a client does not authenticate within the default LoginGraceTime of 120 seconds, calls functions that are not async-signal-safe. Exploiting this vulnerability could result in a complete system takeover, installation of malware, data manipulation, and the establishment of persistent backdoors. Qualys, the security firm that discovered the flaw in May 2024, has indicated that while the exploitation of this bug is challenging, it’s not out of reach—especially with the aid of AI tools which could simplify the attack process.

Qualys’s research suggests that versions of OpenSSH from 8.5p1 up to, but not including, 9.8p1 are affected. Interestingly, versions prior to 8.5p1 are secure due to a patch for a different CVE implemented years ago. To safeguard systems against regreSSHion, administrators are urged to update to OpenSSH version 9.8p1 immediately. Additional recommendations include restricting SSH access via firewalls, implementing network segmentation, and setting ‘LoginGraceTime’ to 0—though this latter measure might increase vulnerability to denial-of-service attacks.

Systems based on OpenBSD are not affected due to earlier security enhancements, and the status on macOS and Windows systems remains uncertain at this time. The scope of the threat is significant, with over 14 million internet-exposed OpenSSH servers identified, though only 700,000 have been confirmed as vulnerable according to Qualys’s CSAM 3.0 data.

For more technical details on the exploitation and mitigation strategies concerning the regreSSHion vulnerability, refer to the full analysis at BleepingComputer.