Network Security, Vulnerability Management, Patch/Configuration Management

14 million OpenSSH servers exposed to the internet via regression flaw

Red glowing letters saying hacked on dark background with binary code

An unauthenticated remote code execution (RCE) flaw in OpenSSH’s server in glibc-based Linux systems was discovered, a flaw that if exploited, could lead to a full system compromise with no user interaction whatsoever.

In a July 1 blog post, the Qualys Threat Research Unit, said the flaw — CVE-2024-6387 — could have dire consequences, including letting an attacker execute arbitrary code with the highest privileges. This could potentially result in a complete system takeover, malware installation, data manipulation, and allowing an attacker to create backdoors for persistent access.

Based on searches using Censys and Shodan, the Qualys researchers identified  more than 14 million potentially vulnerable OpenSSH server instances exposed to the internet. They also found that anonymized data from Qualys customer data revealed that about 700,000 external internet-facing instances are vulnerable, accounting for 31% of all internet-facing instances with OpenSSH in the Qualys global customer base.

In its security analysis, the Qualys researchers identified that this vulnerability is a regression of CVE-2006-5051, a vulnerability first reported in 2006, which is why they named it regreSSHion. A regression happens when after a flaw gets fixed, it reappears in a subsequent software release, typically because of changes or updates that inadvertently reintroduce the issue. The regression itself was first introduced in October 2020 following code changes. The researcher also pointed out that this incident highlights the crucial role of thorough regression testing to prevent the reintroduction of known vulnerabilities into the environment.

"This vulnerability represents the first unauthenticated RCE vulnerability in OpenSSH in nearly two decades, allowing attackers to gain full root access to affected systems without authentication," explained Saeed Abbasi, product manager, vulnerability research at Qualys. "It's particularly concerning because it affects the default configuration of Open SSH and doesn't require user interaction. The ubiquity of OpenSSH as a secure communication method significantly broadens the potential repercussions of this vulnerability."

Callie Guenther, senior manager of threat research at Critical Start, and an SC Media columnist, added that because of its ability to grant unauthenticated remote code execution, this flaw can lead to full system compromises, malware installations, and network propagation.

Guenther said while Qualys outlines mitigations in the full report, she recommends security teams consider the following:

  • Patch management: Apply patches for OpenSSH immediately and ensure continuous update processes.
  • Enhanced access control: Restrict SSH access via network-based controls.
  • Network segmentation and intrusion detection: Segregate networks and deploy monitoring systems to detect exploitation attempts.
  • Temporary mitigation: If the team can’t apply patches right away, configure LoginGraceTime to 0 to prevent exploitation, although this exposes systems to potential denial-of-service.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.