Another week, and another seemingly hair-raising security issue crops up: this time it's a vulnerability affecting a common application millions of people use for remote access over networks, namely OpenSSH. It's a great tool, an open source implementation of the Secure Shell protocol that can be used to do lots of things remotely.
Except a bug has been found that potentially makes the remote access tool potentially a lot less secure. The bug in the server part of OpenSSH was found by security vendor Qualys Threat Research Unit and scans suggest over 14 million vulnerable systems are exposed and can be reached over the Internet... which is ouch, to put it mildly.
OpenSSH comes installed by default in macOS, Linux distributions, and the UNIX-like *BSDs - but the security-oriented OpenBSD operating system isn't vulnerable.
As per infosec industry custom, the critical bug was given a snazzy logo and a catchy name by Qualys: regreSSHion. That's because it refers to a flaw that was fixed in 2006, which has now popped up again inadvertently in newer versions of OpenSSH.
It's an 18-year-old flaw that was patched and reinstated in the later releases .... what else can go wrong? Thanks to @qualys for not releasing the report during the weekend. Monday seems busy for a lot of folks around. #regreSSHion #CVE20246387
— Faisal (@faisalusuf) July 1, 2024
Cutting to the chase, if an attacker is successful in exploiting the regreSSHion bug, it opens up the target system completely. Qualys said attackers can get root access; this is the highest level of privilege for an account on UNIX-like systems. If you "get root" on a computer, you have access to everything on it, data, the operating system and often, the network it is on. It doesn't get much worse than that from a security point of view.
Luckily, testing shows that it's not all that easy to abuse the bug, and that it can take lots of attempts for an attack to succeed, taking on average 6-8 hours against 32-bit Linux systems that use glibc under lab conditions.
That relative slowness of the attack is not something anyone should rely on for security, as a root-access remotely exploitable bug is worth its weight in gold in HackerLand. People will put in a lot of effort to refine the attack, and also make it work on 64-bit systems.
Read OpenSSH's advisory on the bug, and update your installations, in other words.
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.