regreSSHion vulnerability discovered in OpenSSH
Learn how an old vulnerability returns in a new, threatening form and what steps to take to secure your OpenSSH systems
A flaw in OpenSSH, called regreSSHion and identified as CVE-2024-6387, allows remote attacks. This bug is a regression of an old CVE from 2006. Major Linux distributions have released updates to address the issue.
Recently, security firm Qualys discovered a new flaw in OpenSSH, dubbed regreSSHion, which concerns a race condition within the popular security software. OpenSSH is widely considered one of the most secure software in the world, thanks to its defense-in-depth design and exemplary code. However, the identified vulnerability, CVE-2024-6387, is an anomaly in an otherwise near-perfect implementation. The bug comes into play when a client fails to authenticate within the time specified by the LoginGraceTime option, which has a default value of 120 seconds (599 in older versions of OpenSSH). This triggers the SIGALRM handler in asynchronous mode, creating a potential path for remote attacks and code execution with root privileges.
Return of an old CVE
What makes this vulnerability particularly interesting is that it is a regression of an old CVE dating back to 2006, namely CVE-2006-5051. The new version of the vulnerability is not only a repeat of the old problem, but demonstrates how the exploit can be executed in new and more effective ways. The detailed report published by Qualys explores in depth the technical circumstances that allow this race condition to become a palpable threat. The criticality of regreSSHion highlights the importance of detailed testing and constant monitoring of security implementations, even for software with a historically robust reputation like OpenSSH.
Updates and mitigations for different distributions
Major Linux distributions responded quickly by providing updates that address this vulnerability. For example, Ubuntu users will see a message through the apt update system informing them of the fix for CVE-2024-6387 for versions 22.04 LTS, 23.10, and 24.04 LTS. Likewise, Red Hat has published a page dedicated to mitigating this flaw, while SUSE and Debian have provided similar resources for their users. It is essential that system administrators apply these updates immediately to protect their systems from potential exploits that could exploit this vulnerability.
Control tools and final considerations
To check which machines in your network could be vulnerable, you can use tools such as the CVE-2024-6387_Check Python script, which allows precise verification of the presence of the flaw. It is critical to ensure that all machines are up to date and compliant with released patches. Finally, a pinch of irony: in a data center still populated by machines with CentOS 7, which no longer receive official updates, the risks are amplified. It is therefore crucial to avoid using distributions that are no longer supported in production environments to avoid potential security disasters.
Follow us on Google News for more pills like this07/03/2024 20:45
Marco Verro