A few days ago, Researchers found a serious security flaw in OpenSSH, a widely used tool for secure communication over a network. This flaw is known as "regreSSHion" (CVE-2024-6387).
This bug could potentially allow a remote attacker to execute malicious code on a system running OpenSSH. This post explains what exactly happened and what you should do.
Table of Contents
What is regreSSHion (CVE-2024-6387) Bug?
A severe security bug, dubbed regreSSHion, CVE-2024-6387, has been discovered in OpenSSH. It was discovered by the Qualys Threat Research Unit (TRU).
The vulnerability is an unauthenticated Remote Code Execution (RCE) issue in OpenSSH's server (sshd) on Linux systems using glibc. This means an attacker could gain full root access without needing any user interaction.
This vulnerability is particularly noteworthy as it's the first major OpenSSH vulnerability in nearly two decades.
Which OpenSSH Versions are Affected?
The flaw affects OpenSSH versions before 4.4p1 and versions from 8.5p1 up to, but not including, 9.8p1.
OpenSSH 9.8 is Released
In response to this threat, the OpenSSH team has released version 9.8 on July 1, 2024. This update not only patches the critical vulnerability but also addresses another security issue.
1. Race Condition in sshd(8)
As we mentioned already, a critical vulnerability known as "regreSSHion" was found in sshd(8) in versions 8.5p1 through 9.7p1. This flaw could allow arbitrary code execution with root privileges.
Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with Address Space Layout Randomization (ASLR). While exploitation on 64-bit systems is considered possible, it has not yet been demonstrated.
Notably, the OpenBSD systems are not vulnerable to this issue.
This bug was identified and reported by the Qualys Security Advisory Team.
2. Logic Error in ssh(1) ObscureKeystrokeTiming
In OpenSSH versions 9.5 through 9.7, a logic error in the ssh(1) ObscureKeystrokeTiming feature made it ineffective. This bug allowed a passive observer to detect which network packets contained real keystrokes.
Additionally, it compromised another long-standing timing attack mitigation, potentially allowing a passive observer to detect when echo was off and obtain limited timing information about keystrokes.
This bug was identified by Philippos Giavridis, and independently by Jacky Wei En Kung, Daniel Hugenroth, and Alastair Beresford of the University of Cambridge Computer Lab.
How Can You Protect Your System?
The best way to protect against this vulnerability is to ensure your OpenSSH version is updated or patched. The latest release, OpenSSH 9.8, addresses the all the known security issues.
The patched OpenSSH version is already rolled out and included in the default repositories of many Linux operating systems. The users are highly encouraged to update their systems:
# Alpine Linux sudo apk update sudo apk upgrade openssh # Arch Linux sudo pacman -Syu openssh # Debian-based Systems (Debian, Ubuntu) sudo apt update sudo apt upgrade openssh-server # Red Hat-based Systems (RHEL, CentOS, Fedora) sudo dnf check-update sudo dnf update openssh-server # Older RHEL/CentOS sudo yum check-update sudo yum update openssh-server # SUSE-based Systems (openSUSE, SLES) sudo zypper refresh sudo zypper update openssh
After upgrading, verify the installed version of OpenSSH by running:
ssh -V
Key Takeaways
OpenSSH released version 9.8 on July 1, 2024. This update fixes two security problems:
1. Critical Vulnerability in sshd
Affects: OpenSSH versions 8.5p1 to 9.7p1
Impact: Potential unauthorized root access
Details:
- Successfully exploited on 32-bit Linux systems with ASLR
- Exploitation on 64-bit systems possible but not yet demonstrated
- Non-glibc systems may be affected, but this hasn't been confirmed
- OpenBSD is not vulnerable
Credit: Discovered and reported by the Qualys Security Advisory Team
2. Timing Attack Vulnerability
Affects: OpenSSH versions 9.5 to 9.7
Impact: Potential exposure of keystroke timing information
Details:
- Bug in the ObscureKeystrokeTiming feature
- Could allow observers to detect which network packets contained real keystrokes
- Unintentionally disabled a long-standing protection against timing attacks on password entry
Credit: Discovered by Philippos Giavridis and independently by researchers from the University of Cambridge Computer Lab
Recommendations:
Update to OpenSSH 9.8 or later immediately.
Conclusion
This is the first major flaw in OpenSSH in about 20 years. It shows that even trusted tools need regular updates.
The release of OpenSSH 9.8 is a significant step forward in securing systems against known vulnerabilities.
Users are strongly encouraged to update their OpenSSH installations to the latest version to protect against these and other potential threats.
Resource: