Critical Vulnerability in OpenSSH Affecting Linux Servers

I am a day late to the party but I thought I would share this here since 92% of relays run Linux [1], mostly Debian [2]:

On July 1, 2024, a new OpenSSH unauthenticated remote code execution (RCE) vulnerability dubbed regreSSHion was reported, affecting glibc-based Linux systems. This vulnerability, identified as CVE-2024-6387, allows remote attackers to execute arbitrary code as root due to asignal handler race condition in sshd.

This vulnerability, if exploited, could lead to full system compromise, where an attacker can execute arbitrary code with the highest privileges, resulting in a complete system takeover, installation of malware, data manipulation, and the creation of backdoors for persistent access. It could facilitate network propagation, allowing attackers to use a compromised system as a foothold to traverse and exploit other vulnerable systems within the organization.

CERT-EU recommends to review and apply the patches from Linux distribution security bulletins, including but not limited to:
• Ubuntu
• Debian
• RedHat
However, if it cannot be updated immediately, set the LoginGraceTime to 0 in the sshd configuration file, but note that this can expose the server to denial-of-service attacks.

OpenBSD systems are not impacted by this flaw thanks to a secure
mechanism introduced back in 2001.

I guess this underscores the importance of enabling automatic software updates. Also, OpenBSD is quite fun and I recommend it to anyone looking to try a more traditional Unix experience.


Before everyone panics:

OpenSSH estimate that 6-8 hours of bruteforcing against an ASLR-enabled 32-bit system would allow this vulnerability to be exploited. Exploits for 64-bit are currently still theoretical. [1]

Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with ASLR. Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept. Exploitation on 64-bit systems is believed to be possible but has not been demonstrated at this time. It’s likely that these attacks will be improved upon. [2]

Thanks for the reminder, I saw it being alerted on social media sites and updated the VPS where my Tor bridge is running, it is an Ubuntu jammy system, the steps I did to update were:

sudo apt-get update
sudo apt-get installl openssh-server

(you will also get some dependencies with it)

The result was I now have :

~$ sshd -x
unknown option – x
OpenSSH_8.9p1 Ubuntu-3ubuntu0.10

(-x is not a valid option, but whatever this gives me the version…)

And this is a version in which this is fixed on Ubuntu (ref.)