Qualys has revealed details about a security vulnerability they have discovered within the OpenSSH server that could lead to remote, unauthenticated code execution. They have dubbed the vulnerability as “RegreSSHion” as a play on “SSH” and “regression”.
The vulnerability tracked as CVE-2024-6387 is related to OpenSSH servers running with the GNU C Library (glibc) in Linux environments.
The Qualys Threat Research Unit (TRU) has discovered the Remote Unauthenticated Code Execution (RCE) vulnerability in OpenSSH’s server (sshd) in glibc-based Linux systems.
The issue is due to a signal handler race condition, Qualys researchers state that the flaw poses a considerable risk because it affects sshd in its default configuration.
Qualys noted in their research:
“This vulnerability, if exploited, could lead to full system compromise where an attacker can execute arbitrary code with the highest privileges, resulting in a complete system takeover, installation of malware, data manipulation, and the creation of backdoors for persistent access. It could facilitate network propagation, allowing attackers to use a compromised system as a foothold to traverse and exploit other vulnerable systems within the organization.”
The flaw was introduced with the fix for another vulnerability, tracked as CVE-2006-5051. This is a case of regression of a previously patched flaw, which means that a previously fixed bug has resurfaced in a later software release, often due to updates that unintentionally reintroduce the issue. The regression was introduced in October 2020 with the release of OpenSSH 8.5p1.
Considering the remote code execution, users are recommended to apply the latest patches to secure against potential threats. It’s also advised to limit SSH access through network-based controls and enforce network segmentation to restrict unauthorized access and lateral movement.
More details can be found via the Qualys blog.
