A critical vulnerability in OpenSSH has put over 14 million instances at risk of remote unauthenticated code execution, according to a new analysis by Qualys. This flaw, named CVE-2024-6387, could potentially allow attackers to take over systems, install malware, manipulate data, create backdoors, and propagate across networks using compromised systems as a foothold.
Security researchers have emphasized that exploiting this vulnerability could lead to full system compromise, giving threat actors the ability to execute arbitrary code with the highest privileges. This could allow them to bypass vital security mechanisms like firewalls, intrusion detection systems, and logging mechanisms, making it easier for attackers to conceal their activities.
Dubbed as “regreSSHion,” this vulnerability is particularly severe for enterprises that heavily rely on OpenSSH for remote server management. OpenSSH is a popular tool for remote sign-ins that uses the Secure Shell (SSH) protocol to enable secure communication over unsecured networks. While the vulnerability impacts glibc-based Linux systems, OpenBSD systems remain unaffected due to secure mechanisms implemented back in 2001.
Qualys researchers have identified over 14 million potentially vulnerable OpenSSH server instances exposed to the internet, with approximately 700,000 instances vulnerable across their global customer base. The vulnerability is a regression of a previously patched flaw, CVE-2006-5051, reported in 2006. Regressions occur when a fixed flaw reappears in a subsequent software release due to changes or updates unintentionally reintroducing the issue.
Despite the challenge in exploiting this vulnerability, requiring multiple attempts for a successful attack and overcoming Address Space Layout Randomization (ASLR), advancements in deep learning could significantly increase the exploitation rate. Deep learning technologies provide attackers with a substantial advantage in leveraging vulnerabilities like CVE-2024-6387.
To prevent exploitation, organizations are advised to patch OpenSSH versions vulnerable to this flaw, specifically versions earlier than 4.4p1 unless patched for CVE-2006-5051 and CVE-2008-4109. Versions from 4.4p1 up to 8.5p1, excluding 9.8p1, are not vulnerable due to transformative patches for CVE-2006-5051. Implementing network-based controls to limit SSH access, segmenting networks, and deploying monitoring systems to detect exploitation attempts are crucial steps to mitigate the risk of attack via this vulnerability.