14 million OpenSSH servers exposed to the internet via regression flaw

A significant remote code execution (RCE) vulnerability has been discovered in the OpenSSH server, impacting glibc-based Linux systems. This vulnerability, labeled CVE-2024-6387, could potentially lead to a complete system takeover, malware installation, data manipulation, and the creation of backdoors for persistent access, if exploited. Over 14 million potentially vulnerable OpenSSH server instances have been identified through searches using Censys and Shodan, with around 700,000 external internet-facing instances being particularly at risk, according to the Qualys Threat Research Unit.

The vulnerability, named regreSSHion, is a regression of CVE-2006-5051, a flaw that was first reported in 2006. Regression occurs when a previously fixed flaw reappears in a subsequent software release due to changes or updates that inadvertently reintroduce the issue. The regression in question was first introduced in October 2020 following code changes.

Saeed Abbasi, product manager, vulnerability research at Qualys, emphasized that this is the first unauthenticated RCE vulnerability in OpenSSH in nearly two decades, allowing attackers to gain full root access to affected systems without authentication. The ubiquity of OpenSSH as a secure communication method makes the potential repercussions of this vulnerability particularly concerning.

In light of this vulnerability, it’s recommended that security teams implement patch management, enhanced access control, network segmentation, and intrusion detection to protect their systems. Patch management involves applying patches for OpenSSH immediately and ensuring continuous update processes. Enhanced access control involves restricting SSH access via network-based controls. Network segmentation and intrusion detection aim to segregate networks and deploy monitoring systems to detect exploitation attempts. A temporary mitigation, such as configuring LoginGraceTime to 0 to prevent exploitation, can be used while waiting for patches, but systems may be exposed to potential denial-of-service.

.st1{display:none}See more