Researchers at cybersecurity platform Qualys have uncovered a critical security flaw in OpenSSH’s server (sshd) in glibc-based Linux systems, which could potentially impact over 14 million internet-facing servers.
CVE-2024-6387 is an unauthenticated remote code execution (RCE) vulnerability that could grant threat actors full root access if exploited successfully.
The blog noted this flaw marks the first security vulnerability affecting OpenSSH in nearly two decades, and is especially dangerous by virtue of the number of enterprises that rely on the tool for remote server management.
Qualys’ Threat Research Unit (TRU) labeled the flaw the ‘regreSSHion bug’ due to the fact it is a regression of a previously patched vulnerability CVE-2006-5051, initially reported in 2006.
Regression here refers to the mechanism by which a security vulnerability, once fixed, is reintroduced into an environment through a subsequent software update.
This regression bug was reintroduced in October 2020 in OpenSSH 8.5p1, according to Qualys, and highlights the importance of rigorous regression testing to prevent the resurrection of known vulnerabilities.
CVE-2024-6387 affects the default configuration of OpenSSH and does not require any user interaction, therefore posing a significant risk of exploitation.
Using services like Censys and Shodan, Qualys identified over 14 million potentially vulnerable OpenSSH server instances exposed to the internet.
Furthermore, anonymized data from Qualys’ attack surface management cloud service CSAM 3.0 revealed approximately 700,000 external internet-facing instances are vulnerable.
This would make up 31% of all internet-facing instances of OpenSSH in Qualys’ global customer base.
“About as bad as they come” - CVE-2024-6387 is triply dangerous
Ray Kelly, fellow at the Synopsys Software Integrity Group, said the combination of RCE, root access, and broad distribution makes this vulnerability particularly worrying, and patching all vulnerable instances is not going to be a simple task.
“This vulnerability is about as bad as they come. A trifecta of Remote code execution, root access, and a widespread distribution across Linux servers makes this a hot target for threat actors,” he explained.
“Although an OpenSSH patch is available, deploying it across all affected systems—potentially impacting 14 million OpenSSH instances—poses a significant challenge. This vulnerability could persist for a long time, reminiscent of the Heartbleed vulnerability in OpenSSL from 2014."
Synopsys’ principal consultant, Thomas Richards, added he predicts there will be a spike in exploitations of IoT systems as a result, as systems are increasingly treated like one-time-use devices and are not updated frequently.
"I suspect we’ll see a rise in compromises of embedded and IoT systems, as many consumer models are meant to be disposable and rarely get updates. A vulnerability like this could be used by attackers over a long period of time, as older systems do not get updates or as organizations are slow to patch."
Qualys recommends enterprises immediately apply patches for OpenSSH, limiting SSH access through network-based controls to reduce the risk of attack, as well as implementing robust network segmentation to minimize the disruption a successful intruder could cause.
