Threat Briefing for OpenSSH “regreSSHion” Vulnerability

On July 3, 2024, ExtraHop released a Threat Briefing in its RevealX network detection and response (NDR) platform for a recently identified high-severity vulnerability in OpenSSH’s server (sshd) dubbed CVE-2024-6387, also known as “regreSSHion.” The Threat Briefing for regreSSHion in RevealX helps organizations assess their exposure to this severe vulnerability by providing visibility into devices running vulnerable OpenSSH server versions.

OpenSSH is an open-source implementation of the Secure Shell (SSH) protocol, which is a “tool for secure system administration, file transfers, and other communication across the Internet or other untrusted network,” according to the SSH website.

According to Tech Target, “SSH provides strong password authentication and public key authentication, as well as encrypted data communications between two computers connecting over an open network.” Additionally, OpenSSH supports essential encryption technologies and runs by default across all Unix, Linux, and Mac servers, while also underpinning application security for millions of enterprises, including cloud environments crucial to Google, Amazon, Facebook, and other large technology organizations.

In fact, it’s so important that a freakishly serendipitous instance of SSH protocol performance monitoring may have recently saved the Internet from a catastrophic supply-chain attack. In late March, Microsoft engineer Andres Freund noticed that SSH was “running about 500 milliseconds more slowly than expected,” according to The Economist. This led Freund to probe the network anomaly more carefully. He found malicious code embedded deep inside XZ Utils, software designed to compress data used inside servers running the Linux operating system that form the foundation for the internet.

“The malicious code would have served as a “master key,” allowing attackers to steal encrypted data or plant other malware,” noted The Economist report.

The narrowly averted XZ Utils catastrophe reveals the systemically significant role SSH plays in modern network operations, highlighting the uniquely severe nature of CVE-2024-6387.

2024 SSH Vulnerability Explained

Publicly reported by the Qualys Threat Research Unit (TRU) on July 1, 2024, CVE-2024-6387 is a “Remote Unauthenticated Code Execution (RCE) vulnerability in OpenSSH’s server (sshd) in glibc-based Linux systems,” according to TRU research. RCEs enable attackers to execute malicious commands on remote devices.

This vulnerability is a “signal handler race condition in OpenSSH’s server,” which enables the execution of an RCE as “root on glibc-based Linux systems” and “presents a significant security risk,” according to Qualys research. The vendor also said that this “race condition affects sshd in its default configuration.” Therefore, CVE-2024-6387 enables attackers to execute an RCE that disrupts the proper sequencing of program signals in the SSH protocol.

Impact of 2024 SSH Vulnerability “regreSSHion”

Given how foundational SSH is so to the architecture of the modern web, the impact of a successful regreSSHion attack could be particularly disastrous. As noted by Qualys, the exploitation of this CVE “could lead to full system compromise where an attacker can execute arbitrary code with the highest privileges, resulting in a complete system takeover, installation of malware, data manipulation, and the creation of backdoors for persistent access.”

Qualys also said this attack chain could “facilitate network propagation, allowing attackers to use a compromised system as a foothold to traverse and exploit other vulnerable systems within the organization.” Additionally, “gaining root access would enable attackers to bypass critical security mechanisms such as firewalls, intrusion detection systems, and logging mechanisms, further obscuring their activities,” according to Qualys.

Furthermore, Qualys warned that an incident of this nature could result in “significant data breaches and leakage, giving attackers access to all data stored on the system, including sensitive or proprietary information that could be stolen or publicly disclosed.”

14 Million Potentially Vulnerable OpenSSH Server Instances

Using threat hunting tools Censys and Shodan, Qualys identified “over 14 million potentially vulnerable OpenSSH server instances exposed to the Internet,” according to their advisory. Qualys’ data also revealed that “approximately 700,000 external internet-facing instances are vulnerable.”

However, the exposed SSH resources tracked by Qualys are only externally facing server instances and, thus, the tip of the iceberg. There are millions of other internal OpenSSH instances that can be exploited by attackers should they breach organizational environments that contain these unpatched web resources.

Notably, this vulnerability is a “regression of the previously patched vulnerability CVE-2006-5051, which was reported in 2006,” according to Qualys. In this context, a regression is a previously fixed flaw that has “reappeared in a subsequent software release, typically due to changes or updates that inadvertently reintroduce the issue,” according to Qualys. For this reason, CVE-2024-6387 has also been dubbed “regreSSHion.”

Qualys also noted that the discovery of CVE-2024-6387 “highlights the crucial role of thorough regression testing to prevent the reintroduction of known vulnerabilities into the environment.” Alarmingly, this vulnerability was reintroduced into the SSH protocol in October 2020 (OpenSSH 8.5p1), per Qualys research, meaning that most SSH servers have been exploitable for the last four years.

How RevealX Detects Vulnerable SSH Servers

The catastrophic fallout projected by adversarial exploitation of CVE-2024-6387, combined with the alarming SSH-enabled discovery of the XZ Utils backdoor earlier this year, compels organizations to immediately evaluate their exposure to the regreSShion vulnerability.

RevealX helps to detect the regreSSHion CVE by continuously monitoring SSH traffic for unusual patterns that may indicate exploitation of the vulnerability. For instance, a spike in failed login attempts can signal a brute-force attack aiming to exploit regreSSHion.

RevealX works by establishing a baseline of normal SSH traffic behavior. Deviations from this baseline - such as unusual connection times or unexpected data transfers - can indicate attempts to exploit the regreSSHion vulnerability, enabling the detection of both known and unknown threats.

By integrating threat intelligence, particularly from partners like CrowdStrike, RevealX can rapidly identify patterns and signatures associated with the regreSSHion CVE, generating alerts for suspicious activities, such as unauthorized access attempts or connections from malicious IPs, in real-time.

While other platforms may be able to detect exposed OpenSSH servers, RevealX is one of the few tools that can detect them in real-time, regardless if the tool is deployed on premises or in the cloud. EDR clients, on the other hand, may have a scheduled scan period. In addition to real-time monitoring, RevealX provides behavioral analysis, threat detection, and suspicious activity alerts, while intuitively guiding forensic investigators and incident responders.