Critical OpenSSH vulnerability could affect millions of servers

Regression testing

Qualys stressed that this recent flaw shows problems that can arise when regression testing is not properly performed. CVE-2024-6387 is a regression of CVE-2006- 5051, which Jogi said typically indicates changes or updates made in subsequent software releases that inadvertently reintroduced a previously patching vulnerability.

"This incident highlights the crucial role of thorough regression testing to prevent the reintroduction of known vulnerabilities into the environment. This regression was introduced in October 2020 (OpenSSH 8.5p1)," the blog post read.

Jogi said it's likely that the vulnerability exists in both macOS and Windows machines. Enterprises can look for exploitation attempts by checking their logs for multiple lines of "Time before authentication."

Additionally, Qualys "urgently" advised enterprises to patch. Though the fix is part of a major update to OpenSSH, users can upgrade to the latest version released on Monday, which is 9.8p1, or apply a fix to older versions.

OpenSSH's release notes emphasized that the fixed version addressed the race condition in OpenSSH's server (sshd). The open source project labeled the flaw as critical, though no CVSS score has been assigned as of yet.

While OpenSSH highlighted Qualys' successful exploitation on 32-bit Linux/glibc systems and applauded the vendor for the discovery, it appears other versions may be susceptible as well.

"Exploitation on 64-bit systems is believed to be possible but has not been demonstrated at this time. It's likely that these attacks will be improved upon," OpenSSH wrote in the release notes. "Exploitation on non-glibc systems is conceivable but has not been examined."

Jake Williams, an infosec professional and faculty member at IANs research, noted in a post on X, formerly Twitter, that exploitation has only been proven against x86 versions and not x64 servers. "That's important because finding the right address to return to in x64 is exponentially harder in x64 than x86," Williams wrote on X.

Saeed Abbasi, product manager and vulnerability researcher at Qualys Threat Research Unit, told TechTarget Editorial that the company has not yet determined if x64 systems are vulnerable to CVE-2024-6387.

"We have initiated efforts on developing an amd64 exploit, acknowledging the increased complexity due to the enhanced ASLR. Shortly after commencing our amd64 project, we identified a critical bug report in OpenSSH's public Bugzilla, highlighting a deadlock issue in sshd's SIGALRM handler," Abbasi said in an email. "Given the potential severity, we prioritized reaching out to OpenSSH's development team immediately, informing them that this deadlock stems from an exploitable vulnerability. Consequently, we have temporarily suspended our amd64 efforts to focus on crafting this advisory."

Abbasi added that while Qualys does not have visibility into current patching rates, most distributions with OpenSSH are in the process of releasing the patch. "Once they do, we will be able to provide a more comprehensive update regarding the patch deployment rate," he said.

According to Tenable Research, OpenSSH is deployed in over 67% of organizations' environments. "Based on Tenable's telemetry data, OpenSSH is among the 10 most popular products in use, demonstrating a potential for a large attack surface. However, it's important to note that exploitation is difficult and requires winning a race condition," Tenable said in a statement provided to TechTarget Editorial. "Despite the difficulty of exploitation, with widespread use of OpenSSH, immediate patching is recommended to ensure your organization is protected from this threat. If immediate patching is not possible, increased monitoring of SSH traffic for priority endpoints is recommended."

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.