RegreSSHion: Security flaw in OpenSSH gives patient attackers root rights

Security researchers have revived an almost twenty-year-old vulnerability in the OpenSSH server and were able to use it to gain root privileges. During their research, they were able to develop a working exploit for current SSH versions, but some preconditions apply. Attackers should also not be rushing: a successful attack takes several hours.

Software developers refer to a "regression" (literally "regression") as a bug that has already been fixed but reappears due to other changes to the source code. Employees of the security company Qualys found such a regression error in the OpenSSH project and consequently named it "RegreSSHion". The programming bug already appeared in 2006 as CVE-2006-5051 – However, no one had succeeded in exploiting it to execute their own commands at the time. Although the OpenSSH team had fixed the bug at the time, it was mistakenly reinstalled in October 2020.

The new version, which now has the CVE ID CVE-2024-6387(no official CVSS value, but at least 9.0/10 according to the editors' estimate), is the same basic bug, a race condition involving the termination of unsuccessful SSH connections. If a client does not send any authentication data within 120 seconds (the duration is configurable), the Unix signal SIGALRM is sent by the SSH server in order to trigger the logging of this event using syslog() calls, for example. However, these are not designed for asynchronous function calls, which enables attackers with an excellent sense of timing to inject their own code.

Qualys researchers have successfully exploited this flaw in three different environments: In two ancient versions of the SSH server from 2006 and in OpenSSH 9.2p1 under Debian GNU/Linux. The latter version is from the year 2024 and therefore quite up-to-date. At present, it seems that only glibc-based systems can be successfully attacked; according to Qualys, OpenBSD in particular is immune.

High school of exploit development

Not only did they have to trick various security mechanisms of the operating system and glibc, they also had to be patient: The exploit only works in about every ten thousandth attempt, after the standard 120-second timeout(LoginGraceTime) has expired and currently only on 32-bit systems. If the SSH server allows one hundred parallel connections, attackers will be successful after six to eight hours – but the current Debian default setting only allows ten of these connections. It should therefore take considerably longer for the Regresshion exploit to lead to a root shell.

Although the Qualys researchers were initially only successful on i386 systems, they say that an exploit for 64-bit Linuxes is still in the works. Once it is ready, however, it should be even slower than its 32-bit counterpart – more than eight hours, but less than a week could be needed for attackers to gain root privileges.

The Qualys experts have published both a comprehensive theoretical derivation of the vulnerability and their practical attempts to exploit it. The security note provides an insight into the complexity of modern exploit development and also reads like an IT thriller.

Patches are available

According to the researchers at Qualys, the following OpenSSH versions are vulnerable:

• OpenSSH in versions before 4.4p1, unless they have been subsequently secured against CVE-2006-5051 or CVE-2008-4109, and
• OpenSSH 8.5p1 to 9.8; the first bug-fixed version is OpenSSH 9.8p1.

Admins should check whether their Linux systems have the latest SSH versions. Both Debian and Ubuntu have new packages in stock, Red Hat is still researching. According to initial analyses, however, only Red Hat Enterprise Linux 9 is affected, as all other versions of Red Hat Linux come with older OpenSSH versions.

(cku)