Over 14M servers may be vulnerable to OpenSSH's regreSSHion RCE flaw. Here's what you need to do
Hold onto your SSH keys, folks! A critical vulnerability has just rocked OpenSSH, Linux's secure remote access foundation, causing seasoned sysadmins to break out in a cold sweat.
Dubbed "regreSSHion" and tagged as CVE-2024-6387, this nasty bug allows unauthenticated remote code execution (RCE) on OpenSSH servers running on glibc-based Linux systems. We're not talking about some minor privilege escalation here -- this flaw hands over full root access on a silver platter.
Also: The best VPN services (and how to choose the right one for you)
For those who've been around the Linux block a few times, this feels like déjà vu. The vulnerability is a regression of CVE-2006-5051, a bug patched back in 2006. This old foe somehow snuck back into the code in October 2020 with OpenSSH 8.5p1.
Thankfully, the Qualys Threat Research Unit uncovered this digital skeleton in OpenSSH's closet. Unfortunately, this vulnerability affects the default configuration and doesn't need any user interaction to exploit. In other words, it's a vulnerability that keeps security professionals up at night.
It's hard to overstate the potential impact of this flaw. OpenSSH is the de facto standard for secure remote access and file transfer in Unix-like systems, including Linux and macOS. It's the Swiss Army knife of secure communication for sysadmins and developers worldwide.
The good news is that not all Linux distributions have the vulnerable code. Old OpenSSH versions earlier than 4.4p1 are vulnerable to this signal handler race condition unless they are patched for CVE-2006-5051 and CVE-2008-4109.
Versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable. The bad news is that the vulnerability resurfaced in OpenSSH 8.5p1 up to, but not including, 9.8p1 due to the accidental removal of a critical component.
Also: Are all Linux vendor kernels insecure? A new study says yes, but there's a fix
Qualys has found over 14 million potentially vulnerable OpenSSH server internet instances. The company believes that approximately 700,000 of these external internet-facing instances are definitely vulnerable.
A patch, OpenSSH 9.8/9.8p1 is now available. Many, but not all, Linux distributions have made it available. If you can get it, install it as soon as possible.
If you can't install a patch for some reason, consider protecting yourself against the regreSSHion vulnerability by setting LoginGraceTime to 0 in the sshd configuration file (by default, this file is /etc/ssh/sshd_config). This setting is not a perfect solution; it will prevent exploits but exposes your systems to potential denial-of-service (DoS) attacks.
As such, make sure to restrict SSH access to your server using network-based controls to limit potential attack vectors. Since this type of attack requires a lot of effort, you should configure your firewall and network-monitoring tools to detect and block the large number of connections needed to exploit this vulnerability.
Also: The best VPN services for iPhone and iPad (yes, you need to use one)
Finally, keep an eye out for the OpenSSH patches. They'll be out shortly. When they do become available, apply the patches as soon as possible.
You can significantly reduce your exposure to the regreSSHion security hole by implementing these measures -- and you'll be glad you did.