Patch, but don’t be scared! OpenSSH bug is back from the dead

A vulnerability from 2006 has come back to life to haunt installations of the widely-used secure shell.

Researchers have discovered a vulnerability that allows unauthenticated Remote Code Execution (RCE) in OpenSSH. The vulnerability, dubbed RegreSSHion, affects Linux systems that rely on the GNU C Library (glibc), which provides the basic functions that programs need to perform tasks like reading files, displaying text, and managing memory. Essentially, it’s the backbone that helps software request services from the operating system (OS).

OpenSSH is a set of tools used to securely access and manage remote computers over a network using the secure shell (SSH) protocol. It’s commonly used for secure remote logins, file transfers, and tunneling.

Affected organizations should upgrade to the latest version of OpenSSH, while prioritizing Internet-facing servers. The following versions are impacted by this vulnerability:

  • OpenSSH versions earlier than 4.4p1
  • OpenSSH versions between 8.5p1 and 9.8p1

The weird looking gap ranging from 4.4p1 to 8.5p1 is caused by the fact that this vulnerability can be considered a skeleton in the closet, and an old one at that. Basically, it’s a regression of a once-fixed flaw, tracked as CVE-2006-5051, which was fixed in version 4.4p1 and then reintroduced in October 2020 as part of OpenSSH version 8.5p1.

A patch, OpenSSH 9.8/9.8p1 is available, and many (but not all) Linux distributions have it already. If you can get it, install it as soon as possible.

Certain Linux distributions have published advisories specifying that some of their releases are not affected by this vulnerability. Most of these are older versions that never got the vulnerable versions of OpenSSH as official package releases.

As far as we know, on July 3, 2024, the following distro versions are unaffected:

  • Debian – All versions up to and including Debian 11.x (Bullseye)
  • RedHat (including Rocky, Alma, Oracle) – All versions up to and including Red Hat Enterprise Linux 8 are unaffected.
  • Ubuntu – All versions up to and including 20.04

However, Ubuntu patches are available for the following versions:

  • 22.04 (Jammy) – fixed version: 1:8.9p1-3ubuntu0.10
  • 23.10 (Mantic) – fixed version: 1:9.3p1-1ubuntu3.6
  • 24.04 (Noble) – fixed version: 1:9.6p1-3ubuntu13.3

The vulnerability, listed as CVE-2024-6387, is due to a race condition which can lead sshd, the SSH daemon, to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period (the LoginGraceTime, which is 120 seconds by default).

A race condition describes the behavior of a system where the output depends on the sequence or timing of other uncontrollable events. It becomes a bug when events do not happen in the order the programmer intended. Sometimes these bugs can be exploited when the outcome is predictable and works to the attackers’ advantage.

Since this type of attack requires a lot of effort, it should not be hard to detect and block the large number of connections needed to exploit it. Successful exploitation is also hindered by the fact that attackers need to tailor their attempts to the version of Linux they are targeting, so they need to find that out first.

Despite all that, one successful attempt can have severe consequences, and proof-of-concept (PoC) code is readily available. So, find out whether you are using a vulnerable version and get it patched. Needless to say, you don’t want some cybercriminal to remotely execute code on your Linux server without authentication.

Alternatively, if sshd can’t be updated or recompiled, you can set LoginGraceTime to 0 in the config file. This exposes sshd to a denial of service, but it prevents the remote code execution risk.