Governance & Risk Management
,
Patch Management
Over 14 Million Servers May Be Affected by Bug First Fixed Decades Ago
More than 14 million servers may be affected by a vulnerability in a remote server management and file transfer tool that can allow hackers to completely take over the affected systems.
See Also: Cyber Hygiene and Asset Management Perception vs. Reality
The unauthenticated remote code execution vulnerability in OpenSSH, dubbed “regreSSHion,” gives root privileges on glibc-based Linux systems, said Qualys in a Monday notification.
OpenSSH is a Secure Shell-based protocol used for remote access and server management and file transfers.
Shodan and Censys scans show more than 14 million internet-exposed OpenSSH servers, while anonymized data from Qualys pegs the number of vulnerable instances at 700,000, or about one-third of its external internet-facing instances globally.
Tracked as CVE-2024-6387, the exploitation of this bug could allow the attacker to execute arbitrary code with the highest privileges and potentially install malware, manipulate data and create backdoors for persistent access in the system. It could also facilitate network propagation, allowing attackers to “use a compromised system as a foothold to traverse and exploit other vulnerable systems within the organization,” Qualys said.
The National Vulnerability Database had not assigned a CVSS score at the time of writing.
Qualys had fixed the flaw in 2006 – only to inadvertently reintroduce the issue 14 years later.
Bharat Jogi, senior director of the threat research unit, called it a case of “regression,” which in this context refers to a once-fixed flaw re-emerging in a subsequent software release, typically due to changes or updates that inadvertently bring back the issue.
In this case, the new bug was reintroduced in October 2020 in OpenSSH version 8.5p1, after it was reported and patched as CVE-2006-5051 nearly two decades ago.
The flaw is hard to exploit. It requires the attackers to make multiple attempts in order to be successful. But artificial intelligence tools could help attackers “significantly increase the exploitation rate, potentially providing attackers with a substantial advantage in leveraging such security flaws,” Qualys said.
The researchers advise updating the OpenSSH server to version 9.8p1 to fix the vulnerability. They suggest restricting SSH access using network-based controls and putting network segmentation in place to prevent lateral movement by the attackers. A technical blog details other potential mitigation strategies.
As a workaround, the researchers suggest setting the LoginGraceTime to 0 in the sshd
configuration file but say that it could open the server up to denial-of-service attacks.
The flaw may exist on macOS and Windows systems too, but the researchers did not confirm its exploitability.