Threat Research

[Cyware] regreSSHion: Remote Unauthenticated Code Execution Vulnerability in OpenSSH server | Qualys Security Blog

CTI

Qualys TRU has disclosed a Remote Unauthenticated Code Execution (RCE) vulnerability in OpenSSH’s sshd on glibc-based Linux systems that allows unauthenticated remote code execution as root. The flaw is a regression linked to CVE-2006-5051, impacting a large base of internet-facing OpenSSH servers and underscoring the urgency of patching and strengthened network protections. #regreSSHion #CVE-2024-6387 #OpenSSH #OpenSSH_sshd #glibc #CVE-2006-5051 #CVE-2008-4109 #Shodan #Censys

Keypoints

  • The Qualys TRU identified a Remote Unauthenticated Code Execution (RCE) vulnerability in OpenSSH’s server (sshd) on glibc-based Linux systems, enabling root-level compromise.
  • Estimates show over 14 million potentially vulnerable OpenSSH servers exposed to the Internet, with about 700,000 external internet-facing instances vulnerable.
  • The flaw is a regression of the previously patched CVE-2006-5051, reintroduced in OpenSSH 8.5p1 (introduced Oct 2020) and resurfacing in versions 8.5p1–9.8p1.
  • Affected OpenSSH versions span from older than 4.4p1 (unless patched) to 4.4p1–<8.5p1 (not vulnerable) and 8.5p1–<9.8p1 (vulnerable). OpenBSD is unaffected.
  • Impact includes complete system takeover with arbitrary code execution as root, potential malware installation, data manipulation, and backdoors for persistent access.
  • Mitigations focus on patch management, restricting SSH access, network segmentation, and IDS; vendors may release patches soon, with Qualys VMDR and Patch Management aiding detection and remediation.
  • Exploitation indicators include logs showing “Timeout before authentication,” and detection requires root privileges for certain scans (QID 42046).

MITRE Techniques

  • [T1133] External Remote Services – The OpenSSH sshd service exposed to the Internet enables unauthenticated remote code execution via a signal handler race condition. ‘Remote Unauthenticated Code Execution (RCE) vulnerability in OpenSSH’s server (sshd) in glibc-based Linux systems.’
  • [T1068] Exploitation for Privilege Escalation – Successful exploitation would yield root privileges, enabling full control of the system. ‘allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems.’
  • [T1499] Impact – Full system compromise and persistence, including malware installation and backdoors. ‘This vulnerability, if exploited, could lead to full system compromise… complete system takeover, installation of malware, data manipulation, and the creation of backdoors for persistent access.’
  • [T1190] Exploit Public-Facing Application – OpenSSH’s sshd exposed on Internet is leveraged as a public-facing service for remote code execution. (Quoted concept from article about remote unraveling via sshd)

Indicators of Compromise

  • [Domain] Context – Domains referenced by the article and assets: blog.qualys.com, qualys.com
  • [File Name] Context – Image and asset file names referenced: Q-regreSSHion-1200×628-1-1070×560.jpg, CSAM_v3.png

Read more: https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server