BREAKING AT&T Data Breach: ‘Nearly All’ Wireless Customers Exposed in Massive Hack
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

regreSSHion OpenSSH Flaw: Potential Exploitation Attempts Seen, but Mass Attacks Unlikely

The critical OpenSSH vulnerability tracked as regreSSHion and CVE-2024-6387 may already be targeted by attackers, but mass exploitation is unlikely.

OpenSSH regreSSHion CVE-2024-6387

More information has become available on the possible exploitation of the recently disclosed OpenSSH vulnerability tracked as CVE-2024-6387 and named regreSSHion.

Qualys revealed on July 1 that its researchers discovered a critical OpenSSH vulnerability — a race condition — that can be exploited by an unauthenticated attacker for remote code execution. 

The vulnerability has been compared to Log4Shell, and Qualys warned that its exploitation can lead to a complete system takeover, enabling the deployment of malware and backdoors. 

The security hole has been named regreSSHion because it’s a regression of an OpenSSH flaw first patched in 2006 — the issue was reintroduced in 2020 and it was accidentally patched recently with the release of version 9.8p1.

Searches conducted by Qualys using the Shodan and Censys services showed more than 14 million potentially vulnerable OpenSSH instances on the internet, and the security firm’s own customer data showed roughly 700,000 systems that appeared to be vulnerable.                                                                                                  

Qualys has made available technical details, but it has not released proof-of-concept (PoC) code. However, others have started making public what appear to be PoC exploits.

On the other hand, Palo Alto Networks has tested some of the PoC code and was not able to achieve remote code execution. The cybersecurity giant said there’s no reason for panic, noting that while the vulnerability is critical it’s unlikely to lead to mass exploitation.

Security researcher Raghav Rastogi reported seeing an IP address that appears to be attempting to exploit CVE-2024-6387, but in-the-wild exploitation attempts have yet to be confirmed. 

Advertisement. Scroll to continue reading.

Exploitation of CVE-2024-6387 is not a straightforward task. Qualys explained that in its experiments it took roughly 10,000 tries to win the race condition required for exploitation, taking between several hours and one week to obtain a remote root shell.

Tomer Schwartz, co-founder and CTO of Dazz, highlighted that exploitation is mostly possible in a lab setting. 

“It is a statistical exploit by nature: it takes a significant number of attempts to win the race condition and successfully execute arbitrary code, and there are quite a few obstacles that attackers need to overcome,” Schwartz told SecurityWeek. “The best-known exploit takes over 4 hours to run, even in the best-case scenario.”

In release notes for OpenSSH 9.8, developers pointed out that exploitation has only been demonstrated on 32-bit glibc-based Linux systems and noted that OpenBSD is not impacted. 

“Exploitation on 64-bit systems is believed to be possible but has not been demonstrated at this time. It’s likely that these attacks will be improved upon,” OpenSSH developers said. “Exploitation on non-glibc systems is conceivable but has not been examined. Systems that lack ASLR or users of downstream Linux distributions that have modified OpenSSH to disable per-connection ASLR re-randomisation […] may potentially have an easier path to exploitation.”

Members of the cybersecurity community have started releasing open source tools that can be used to identify vulnerable OpenSSH servers. 

Related: GitLab Security Updates Patch 14 Vulnerabilities

Related: Critical CocoaPods Flaws Exposed Many iOS, macOS Apps to Supply Chain Attacks 

Related: Ransomware Group Exploits PHP Vulnerability Days After Disclosure

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

ICS and OT cybersecurity solutions provider TXOne Networks appoints Stephen Driggers as new CRO

Identity orchestration provider Strata Identity appoints Aldo Pietropaolo as Field CTO

Cybersecurity provider for the aviation industry Cyviation has appointed Eliran Almog as Chief Executive Officer.

More People On The Move

Expert Insights