Critical Remote Code Execution Vulnerability in OpenSSH's Server

The Qualys Threat Research Unit (TRU) has identified a critical Remote Unauthenticated Code Execution (RCE) vulnerability in OpenSSH's server (sshd) on glibc-based Linux systems. This vulnerability, tracked as CVE-2024-6387 (CVSS score 8.1), is due to a signal handler race condition in sshd, allowing unauthenticated remote code execution as root.

This vulnerability is a regression of CVE-2006-5051, reintroduced in October 2020 (OpenSSH 8.5p1), hence the name regreSSHion. Exploiting this vulnerability can lead to a complete system compromise.

Over 14 million potentially vulnerable OpenSSH server instances are visible to the internet. Qualys states that approximately 700,000 external internet-facing instances that are scanned by their tools are vulnerable, accounting for 31% of internet-facing instances with OpenSSH.

Affected versions:

• OpenSSH versions earlier than 4.4p1 are vulnerable unless they are patched for CVE-2006-5051 and CVE-2008-4109.
• Versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable.
• The vulnerability resurfaces in versions from 8.5p1 up to, but not including, 9.8p1 due to the accidental removal of a critical component in a function.
• OpenBSD systems are unaffected by this bug, as OpenBSD developed a secure mechanism in 2001 that prevents this vulnerability.
• OpenSSH 9.8p1 is not vulnerable.

OpenSSH has released 9.8 version on 1st of July 2024 to mitigate this flaw.

Qualys will not publish exploit codes to allow organizations to patch without immediate pressure.

Administrators are advised to patch their OpenSSH servers as soon as possible. If updating or recompiling sshd is not possible, setting LoginGraceTime to 0 in the configuration file mitigates the signal handler race condition, preventing remote code execution. However, this makes sshd susceptible to a denial of service through the exhaustion of all MaxStartups connections.