The OpenSSH secure communications suite has been found to have an unauthenticated remote code execution (RCE) vulnerability, putting millions of Linux-based systems at risk of being taken over by attackers with root access capabilities. This bug, known as “RegreSSHion” by researchers at the Qualys Threat Research Unit (TRU), has a CVSS score of 8.1 and specifically affects glibc-based Linux systems running the sshd server in its default configuration. While it may also exist in Mac and Windows environments, exploitability on those platforms has not yet been confirmed.
If this vulnerability is exploited, attackers could potentially gain full system compromise, allowing them to execute arbitrary code with the highest privileges. This could result in a complete system takeover, installation of malware, data manipulation, and the creation of backdoors for persistent access. The implications of such an attack are grave, as it could facilitate network propagation and enable attackers to bypass critical security mechanisms such as firewalls and intrusion detection systems.
According to the researchers at Qualys, more than 14 million potentially vulnerable OpenSSH server instances are exposed to the Internet, highlighting the widespread impact of this vulnerability. This issue has been named “RegreSSHion” because it is a reappearance of a flaw that was previously fixed in 2006 (CVE-2006-5051). The reintroduction of this vulnerability underscores the need for thorough regression testing and fully automated test suites to prevent similar regressions, particularly for security fixes.
The complexity of this vulnerability makes it challenging to exploit, but also difficult to fully remediate. It requires a focused and layered security approach to mitigate the risk effectively. Unlike attacks like Log4Shell that can be contained in a single unauthenticated HTTP request, exploiting this vulnerability is more time-consuming and requires approximately 10,000 attempts on average to succeed.
The solution to this issue involves a major update that may be difficult to backport. Users have two options for addressing the vulnerability: upgrading to the latest version released on July 1st (9.8p1) or applying a fix to older versions as outlined in the advisory. Various Linux distros and vendor implementations are expected to release patches shortly to address this vulnerability.
In the meantime, administrators can take measures to limit SSH access through network-based controls, implement network segmentation to prevent further damage in case of a compromise, monitor logs for indicators of compromise (IoCs) provided by TRU, and deploy comprehensive intrusion detection capabilities to enhance overall security posture. The discovery of this vulnerability serves as a reminder of the importance of robust security practices and continuous vulnerability management to protect against emerging threats in the ever-evolving cybersecurity landscape.