RegreSSHion: Critical OpenSSH Vulnerability Allowing Root Access

Security researchers have identified a critical vulnerability in OpenSSH, dubbed “RegreSSHion,” which allows attackers to gain root access. This exploit, stemming from a bug first discovered in 2006, requires patience as it takes several hours to execute successfully.

What is RegreSSHion?

The term “regression” refers to a previously fixed bug that reappears due to changes in the source code. The RegreSSHion bug, CVE-2024-6387, is a race condition that occurs when unsuccessful SSH connections are terminated. If a client does not send authentication data within 120 seconds, the SSH server sends a SIGALRM signal to log the event, which can be exploited to insert malicious code.

Affected Versions

The following OpenSSH versions are vulnerable:

  • Versions before 4.4p1 (unless patched for CVE-2006-5051 or CVE-2008-4109)
  • Versions 8.5p1 to 9.8 (first fixed in version 9.8p1)

How to update SSHD

We created an article how to Update SSHD on Debian, Ubuntu and Red Hat Linux

Exploit Details

Exploiting this vulnerability requires bypassing various security mechanisms and significant patience. The exploit works roughly one in ten thousand attempts, primarily on 32-bit systems. With 100 parallel connections, the attack can succeed in six to eight hours, but default settings usually allow only ten connections, extending the attack duration.

Practical Implications

Researchers successfully exploited the bug in OpenSSH 9.2p1 under Debian GNU/Linux. Currently, only glibc-based systems are vulnerable, with OpenBSD being immune.

Recommendations

Admins should ensure their Linux systems have the latest OpenSSH versions. Both Debian and Ubuntu have released updated packages:

Red Hat is still investigating, with initial analyses showing only Red Hat Enterprise Linux 9 is affected.

Summary

The RegreSSHion vulnerability highlights the importance of keeping software up to date. Ensure your systems are protected by updating to OpenSSH 9.8p1 or later.

For more details, refer to the Qualys Security Advisory.