Openssh developers have successfully eliminated a critical vulnerability that could potentially lead to remote execution of Root Privileges on Linux systems based on Glibc. The vulnerability, identified by specialists at Qualys, is of the CVE-2024-6387 type Race Condition and is located in the server component Openssh, also known as SSHD, designed to listen to connections from any client application.
Openssh is a set of software tools that provide secure remote access using the SSH encryption protocol. This set is included in all Linux systems based on GLIBC, making it present in almost all major distributions, excluding Alpine Linux which uses Libc. It is important to note that BSD systems are not affected by this vulnerability. Currently, it is unclear to Qualys how MacOS or Windows operating systems may be impacted.
Qualys has identified at least 14 million potentially vulnerable instances of Openssh servers accessible via the Internet. This vulnerability, dubbed “RegressHion,” is a regression of a previously fixed 18-year-old vulnerability (CVE-2006-5051, CVSS: 8.1), which resurfaced in October 2020 as part of the OpenSSH 8.5P1 version.
The exploitation of this vulnerability was demonstrated on 32-bit Linux/Glibc systems with address space randomization (ASLR). In a controlled environment, the attack required an average of 6-8 hours of continuous connections to overload the server. It remains unclear if instances of RegressHion in real-world conditions have been observed.
Qualys explains that if a client fails to authenticate within 120 seconds (a setting determined by LogingRacetime), the SSHD Sigalrm handler is triggered asynchronously in a manner that is not safe for Async-Signal.
The exploitation of this vulnerability ultimately results in a complete compromise of the system, allowing attackers to execute arbitrary code with the highest privileges, bypass security mechanisms, steal data, and maintain persistent access.
This vulnerability impacts versions between 8.5p1 and 9.7p1. Additionally, versions up to 4.4p1 are vulnerable to the race condition error if they have not been patched for CVE-2006-5051 and CVE-2008-4109. It is important to note that OpenBSD systems are not vulnerable, as they have a security mechanism that mitigates the threat. The necessary corrections have been introduced by Openssh developers.