Latest OpenSSH vulnerability: regreSSHion
On July 1, 2024 the OpenSSH team released version 9.8p1 to address 2 vulnerabilities. The most critical of the two allows Remote Code Execution (RCE) by unauthenticated attackers under certain situations. This vulnerability was discovered by Qualys and dubbed “regreSSHion”.
CVE-2024-6387 is a critical rated vulnerability in the portable (non-OpenBSD) versions of OpenSSH from 8.5p1 to 9.7p1. Successful exploitation enables attackers to run arbitrary code with root privileges. Note that the “p” in those version strings indicates “portable”. Exploitation is currently thought to take multiple hours and use many connections but it is likely that the exploit effectiveness may improve now that the information is public.
A second vulnerability related to the the failure of the ObscureKeystrokeTiming security feature has also been fixed. It was discovered that OpenSSH clients using versions 9.5 through 9.7 did not correctly implement this feature and so may have been susceptible to keystroke timing attacks when connected to an OpenSSH 9.5 or higher server.
What is the impact?
There are a few things to understand when determining impact and risk of CVE-2024-6387. OpenSSH on OpenBSD is not vulnerable. Also, these exploits currently take multiple hours to work against 32-bit Linux/glibc systems with the Address space layout randomization (ASLR). Exploitation of 64-bit systems is thought to be possible but hasn’t yet been demonstrated. Exploitation of non-glibc systems, such as Alpine Linux and various BSD based operating systems, is similarly unexplored.
It is important to keep in mind that this vulnerability will likely draw the attention of very skilled individuals and groups. The definition of “possible” and “likely” may change greatly over the coming days and weeks.
Are updates or workarounds available?
The OpenSSH team has released version 9.8p1 to address these vulnerabilities. Updates will likely be released for various operating systems very quickly if they haven’t been already.
The following vendors have already issued advisories and packages:
- Debian: DSA 5724-1 – OpenSSH security update / Security Tracker
- FreeBSD: FreeBSD-SA-24:04.openssh
- Oracle: ELSA-2024-12468
- Red Hat: CVE-2024-6387
- Ubuntu: USN-6859-1 – OpenSSH vulnerability
How to find potentially vulnerable OpenSSH systems with runZero
It is important to note that most Linux distributions with scheduled releases and stability guarantees, such as Debian, Red Hat Enterprise Linux, and Ubuntu, will backport the fix to existing versions of OpenSSH instead of updating to 9.8p1. This means that their specific package version numbers may update but the version of OpenSSH may not.
Here is an example for Ubuntu 24.04:
Unpatched:
OpenSSH_9.6p1 Ubuntu-3ubuntu13Patched:
OpenSSH_9.6p1 Ubuntu-3ubuntu13.3As a result, auditing any environment will be more complex than normal.
For auditing overall OpenSSH versions go to the Software Inventory and use the following query:
name:"OpenBSD OpenSSH" (version:>8.4 AND version:<9.8)Specific services can be found using the Service Inventory and the following query which will remove some of the versions known to be patched:
protocol:ssh (_service.product:="OpenBSD:OpenSSH:9%" OR _service.product:="OpenBSD:OpenSSH:8%" OR _service.product:="OpenBSD:OpenSSH:4%" OR _service.product:="OpenBSD:OpenSSH:3%") NOT (os:OpenBSD OR banner:"Ubuntu-3ubuntu13.3" OR banner:"Ubuntu-3ubuntu0.10" OR banner:"Ubuntu-1ubuntu3.6" OR banner:"Debian-5+deb11u3" OR banner:"Debian-2+deb12u3" OR banner:"FreeBSD-20240701")
We have a canned query named “Rapid Response: OpenSSH regreSSHion RCE” that can be used to locate potentially impacted systems.
February 2023 (CVE-2023-25136)
The OpenSSH team surfaced a security issue that specifically affected OpenSSH server version 9.1p1 (a.k.a. version 9.1). This version contained a memory double-free vulnerability (tracked as CVE-2023-25136) that could be reached pre-authentication by a remote attacker. Researchers, including JFrog and Qualys, had been investigating and providing proof-of-concepts of a denial-of-service scenario and remote code execution for the attacker.
What was the impact?
OpenSSH is a popular open source implementation of the SSH protocol and is available on many operating systems. The installation base for OpenSSH is quite large (Shodan reported ~48k public-facing instances of OpenSSH servers running version 9.1).
The denial-of-service attack vector could be successful against a number of operating systems running OpenSSH 9.1. However, it yielded limited results because it only crashed the forked daemon instance that had been spun up to handle the attacker’s SSH connection (leaving the parent ssh daemon still running to handle other incoming connections).
Exploitation of this vulnerability for remote code execution (RCE) was more complex, with a current proof-of-concept that only targeted OpenBSD 7.2 without memory protections in place (such as ASLR, NX, or ROP defenses) and with code execution still contained within the ssh daemon’s sandbox. As researchers continued to investigate RCE exploitation, other operating systems with attacker-bypassable memory malloc and double-free protections might have been discovered. Thus, the ability to fully execute attacker-controlled code outside of the ssh daemon sandbox, even with memory protections in place, might have been achieved.
OpenSSH version 9.2p1 (a.k.a version 9.2) was released and patched this vulnerability (CVE-2023-25136). For systems currently running OpenSSH 9.1, admins were encouraged to update to OpenSSH 9.2 or later.
How runZero users found vulnerable 9.1/9.1p1 OpenSSH services with runZero #
runZero users located OpenSSH servers running the vulnerable 9.1/9.1p1 version on their networks using the following prebuilt query:
_asset.protocol:ssh AND protocol:ssh AND (_service.product:="OpenBSD:OpenSSH:9.1" OR _service.product:="OpenBSD:OpenSSH:9.1p1")
To locate all OpenSSH servers in your network, the following prebuilt query can be used:
product:”OpenSSH”
As always, any prebuilt queries are available from our Queries Library. Check out the library for other useful inventory queries.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
