A significant security flaw has been uncovered in the widely-used Open Secure Shell (OpenSSH) server, potentially exposing millions of servers to remote code execution attacks. Researchers from Qualys have identified the vulnerability, dubbed “regreSSHion,” which can allow unauthenticated attackers to gain root access to servers. This article explores the details of this vulnerability, its impact, and the necessary steps to mitigate the risk.
The Discovery of ‘regreSSHion’
Researchers from Qualys have discovered a severe remote code execution vulnerability in the OpenSSH server, tracked as CVE-2024-6387. This flaw, named “regreSSHion,” is a regression of an older flaw (CVE-2006-5051) that was patched 18 years ago. A regression, in this context, refers to a previously fixed flaw reappearing in a subsequent software release due to changes or updates.
According to Qualys, this regression was introduced in October 2020 with the release of OpenSSH 8.5p1. Using internet scanning services like Shodan and Censys, researchers identified over 14 million potentially vulnerable OpenSSH instances exposed to the internet.
Technical Details of the Vulnerability
The root cause of the regreSSHion flaw lies in a race condition within the OpenSSH signal handler. Specifically, the SIGALRM handler in the sshd service calls various sensitive functions, such as syslog(), in an asynchronous manner when a connection attempt fails to authenticate within a designated period known as LoginGraceTime.
An attacker can exploit this vulnerability by opening multiple connections without providing authentication credentials, thereby triggering the OpenSSH signal handler asynchronously. The functions called by the handler are not safe to be invoked asynchronously, which can leave the process’s memory heap in an inconsistent state.
Historical Context and Exploitation
When initially reported in 2006, this issue was described as a race condition that could lead to a denial-of-service (process crash) with the potential for arbitrary code execution. However, exploiting the flaw required winning the race condition, which was a difficult task. Despite the introduction of memory security technologies like Address Space Layout Randomization (ASLR) since 2006, Qualys researchers have demonstrated that remote code execution is still possible, albeit more challenging.
The researchers successfully exploited the flaw on Linux systems using the glibc C library, particularly on 32-bit versions where ASLR is weaker. They found that exploiting the vulnerability on 64-bit systems is possible but more difficult due to stronger ASLR.
Demonstrated Exploit and Impact
Qualys researchers demonstrated the exploit against OpenSSH 9.2p1 on Debian Linux i386. They required approximately 10,000 attempts to win the race condition and exploit the flaw, which took between 3-4 hours with 100 concurrent connections and a default LoginGraceTime of 120 seconds. However, due to ASLR, the glibc address can only be correctly guessed half of the time, increasing the time needed to achieve remote code execution with a root shell to 6-8 hours.
OpenSSH deployments on OpenBSD are not vulnerable to this flaw because its signal handler calls syslog_r(), a version of syslog() developed by OpenBSD in 2001 that is safe for asynchronous calls.
Mitigation and Recommendations
To mitigate the risk posed by the regreSSHion vulnerability, it is highly recommended to upgrade OpenSSH to a patched version as soon as it becomes available in the package repositories of Linux distributions. If a patched package is not immediately available, an alternative mitigation is to set the LoginGraceTime parameter to 0 in the sshd configuration file. This change reduces the window of opportunity for an attacker to exploit the race condition.
Additionally, the large number of connections needed to exploit this vulnerability can be detected and blocked using network monitoring tools and firewalls. Although the flaw’s exploitation is challenging, it is critical to address it promptly due to its severe potential impact.
Conclusion
The OpenSSH regreSSHion vulnerability, CVE-2024-6387, poses a significant risk to millions of servers worldwide. Despite the difficulty in exploiting the flaw, the potential for remote code execution and server takeover underscores the importance of swift mitigation. Administrators should prioritize updating OpenSSH to a patched version and consider interim measures to protect their systems from this serious threat.
More Updates: Tech News
