Qualys Threat Research Unit (TRU) has identified a vulnerability that puts Linux boxes at risk.
The new bug is a Remote Unauthenticated Code Execution (RCE) vulnerability in OpenSSH’s server (SSHD) in glibc-based Linux systems. The CVE assigned is CVE-2024-6387. It’s a signal handler race condition in OpenSSH’s server and affects SSHD’s default configuration.
This vulnerability allows unauthenticated remote code execution and poses significant security risks, allowing attackers to execute remote code without authentication on vulnerable servers.
It could result in a full system compromise, where attackers perform a complete system takeover, including creating a backdoor for ongoing access. Hackers could deploy further malware or use the compromised system to exploit and gain access to other vulnerable systems within an organization, bypassing firewalls, logging mechanisms, and other security to obscure their activities. This could lead to a significant data breach or leak, potentially exposing sensitive data.
In a blog post, Qualys TRU identified over 14 million potentially vulnerable OpenSSH server instances exposed to the Internet. Further data from Qualys CSAM 3.0 with External Attack Surface Management revealed that around 700,000 external internet-facing instances were vulnerable.
This is a regression of a previously patched vulnerability from 2006, CVE-2006-5051. A regression is where the original flaw was fixed. However, it has inadvertently reoccurred in later software releases, usually due to updates or changes. This regression was introduced in October 2020 (OpenSSH 8.5p1)
Affected OpenSSH Versions
- Vulnerable versions include versions earlier than 4.4p1 (unless patched for CVE-2006-5051 and CVE-2008-4109).
- Versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable.
- However, versions from 8.5p1 up to, but not including, 9.8p1 are also vulnerable.
Protect Your Linux System
Qualys recommends the following steps to protect your system:
- Immediately apply all available OpenSSH patches and keep systems up to date.
- Minimize attack risk by limiting SSH access through network-based controls.
- Restrict unauthorized access by dividing networks and deploying tools to monitor unusual activities.
Qalys has developed a working exploit for the vulnerability and deployed it to the OpenSSH team. This won’t be released publicly, as patches will be applied over time. However, the company notes that it believes other independent researchers should be able to replicate its results.