A serious security flaw dubbed “regreSSHion” in OpenSSH allows attackers to remotely execute code with root privileges on Linux systems running vulnerable versions (8.5p1 to 9.8p1). Discovered by Qualys, this vulnerability poses a significant risk of full system compromise, potentially allowing malware installation and network infiltration. Qualys advises promptly updating to OpenSSH version 9.8p1 and implementing network controls to mitigate the risk.
The mitigation for CVE-2024-6387 (regreSSHion) involves the following steps:
1. Update OpenSSH: The most effective mitigation is to update to the latest version of OpenSSH (9.8p1 or later) which contains the fix for this vulnerability.
2. Apply patches: If you’re using a Linux distribution, apply the latest security patches provided by your distribution. Ubuntu, Debian, Red Hat Enterprise Linux 9, and SUSE have already pushed patches to address this vulnerability.
3. Workaround if updating is not possible: If you cannot update or recompile sshd, set the LoginGraceTime parameter to 0 in the sshd config file. This prevents the remote code execution risk but may expose sshd to a denial of service attack by using up all MaxStartups connections.
4. Implement network-based controls: Limit SSH access through network-based controls to minimize attack risks.
5. Network segmentation: Segment your networks to restrict unauthorized access and lateral movement within critical environments.
6. Monitoring: Deploy systems to monitor and alert on unusual activities that may indicate exploitation attempts.
7. Check logs: Look for “many many lines of ‘timeout before authentication'” in your logs, which may indicate exploitation attempts.
8. Consider rate-limiting: Implement rate-limiting options on SSH access to deny connections from IP addresses that have attempted to initiate multiple connections over a short period.
It’s important to note that while exploitation has been demonstrated in lab environments, it typically requires 6-8 hours of continuous connection attempts (approximately 10,000 attempts) to exploit the race condition.
However, it’s crucial to address this vulnerability promptly, as exploit techniques are likely to improve over time.