Qualys has recently uncovered a critical vulnerability in OpenSSH and has raised concerns about the potential threat it poses to over 14 million internet-exposed server instances. The vulnerability, known as CVE-2024-6387, was detailed in a blog post by Bharat Jogi, the senior director of Qualys’ Threat Research Unit. This unauthenticated remote code execution flaw was identified in OpenSSH’s server on glibc-based Linux systems and is considered a regression of a previously patched vulnerability, CVE-2006-5051.
OpenSSH is widely utilized for encrypting and securing communication, making it an attractive target for cyber attackers. Qualys has described OpenSSH as a critical tool for secure communication, but with its broad utilization comes significant security concerns. Through Censys and Shodan searches, Qualys found that more than 14 million internet-exposed OpenSSH servers could potentially be vulnerable to CVE-2024-6387, which they have dubbed “regreSSHion.”
Qualys’ data from CSAM 3.0 with External Attack Surface Management revealed that approximately 700,000 external internet-facing instances are vulnerable to the exploit. This accounts for 31% of all internet-facing instances with OpenSSH in their global customer base. It was also noted that more than 0.14% of vulnerable instances are running an end-of-life version of OpenSSH, further emphasizing the importance of patching.
The impact of exploitation of this vulnerability could be severe, leading to full system compromise and enabling attackers to install malware, manipulate data, and create backdoors for persistent access to a victim’s environment. The ability to gain root access could allow attackers to bypass critical security mechanisms, potentially resulting in data breaches and leakage of sensitive information.
Despite the severity of the vulnerability, Qualys found that exploiting it is challenging and requires multiple attempts for a successful attack. Jogi also commended OpenSSH for its strong track record in software security, highlighting that the vulnerability is a regression issue that resulted from inadequate regression testing.
Qualys urgently advises enterprises to patch their systems to mitigate the risk posed by CVE-2024-6387. The fix is included in the latest OpenSSH release, version 9.8p1, and users are encouraged to upgrade to this version or apply the necessary fix to older versions. The release notes for this version address the race condition in OpenSSH’s server and emphasize the critical nature of the flaw.
Experts have noted that while exploitation has been demonstrated on 32-bit Linux/glibc systems, it has not been proven on 64-bit systems. Efforts are ongoing to develop an exploit for x64 systems, but challenges exist due to the increased complexity in finding the right address for exploitation.
Overall, the discovery of the OpenSSH vulnerability serves as a reminder of the importance of thorough regression testing in preventing the reintroduction of known vulnerabilities into software environments. Enterprises are encouraged to stay vigilant, monitor their systems for exploitation attempts, and promptly apply patches to ensure the security of their infrastructure.
Croatian 
English 
Albanian 
Serbian 