More information has become available on the possible exploitation of the recently disclosed OpenSSH vulnerability tracked as CVE-2024-6387 and named regreSSHion.
Qualys revealed on July 1 that its researchers discovered a critical OpenSSH vulnerability — a race condition — that can be exploited by an unauthenticated attacker for remote code execution.
The vulnerability has been compared to Log4Shell, and Qualys warned that its exploitation can lead to a complete system takeover, enabling the deployment of malware and backdoors.
The security hole has been named regreSSHion because it’s a regression of an OpenSSH flaw first patched in 2006 — the issue was reintroduced in 2020 and it was accidentally patched recently with the release of version 9.8p1.
Searches conducted by Qualys using the Shodan and Censys services showed more than 14 million potentially vulnerable OpenSSH instances on the internet, and the security firm’s own customer data showed roughly 700,000 systems that appeared to be vulnerable.
Qualys has made available technical details, but it has not released proof-of-concept (PoC) code. However, others have started making public what appear to be PoC exploits.
On the other hand, Palo Alto Networks has tested some of the PoC code and was not able to achieve remote code execution. The cybersecurity giant said there’s no reason for panic, noting that while the vulnerability is critical it’s unlikely to lead to mass exploitation.
Security researcher Raghav Rastogi reported seeing an IP address that appears to be attempting to exploit CVE-2024-6387, but in-the-wild exploitation attempts have yet to be confirmed.
Exploitation of CVE-2024-6387 is not a straightforward task. Qualys explained that in its experiments it took roughly 10,000 tries to win the race condition required for exploitation, taking between several hours and one week to obtain a remote root shell.
Tomer Schwartz, co-founder and CTO of Dazz, highlighted that exploitation is mostly possible in a lab setting.
“It is a statistical exploit by nature: it takes a significant number of attempts to win the race condition and successfully execute arbitrary code, and there are quite a few obstacles that attackers need to overcome,” Schwartz told SecurityWeek. “The best-known exploit takes over 4 hours to run, even in the best-case scenario.”
In release notes for OpenSSH 9.8, developers pointed out that exploitation has only been demonstrated on 32-bit glibc-based Linux systems and noted that OpenBSD is not impacted.
“Exploitation on 64-bit systems is believed to be possible but has not been demonstrated at this time. It’s likely that these attacks will be improved upon,” OpenSSH developers said. “Exploitation on non-glibc systems is conceivable but has not been examined. Systems that lack ASLR or users of downstream Linux distributions that have modified OpenSSH to disable per-connection ASLR re-randomisation […] may potentially have an easier path to exploitation.”
Members of the cybersecurity community have started releasing open source tools that can be used to identify vulnerable OpenSSH servers.
Related: GitLab Security Updates Patch 14 Vulnerabilities
Related: Critical CocoaPods Flaws Exposed Many iOS, macOS Apps to Supply Chain Attacks
Related: Ransomware Group Exploits PHP Vulnerability Days After Disclosure