Millions of OpenSSH servers are at risk of a newly disclosed vulnerability that could potentially lead to unauthenticated remote code execution. The vulnerability, known as regreSSHion and tracked as CVE-2024-6387, was identified by cybersecurity firm Qualys, likened in severity to the infamous Log4Shell vulnerability of 2021.

The flaw affects the OpenSSH server process ‘sshd’ by exploiting a signal handler race condition, allowing attackers to execute code remotely without authentication, granting root privileges on glibc-based Linux systems. While the possibility of exploitation on Windows and macOS systems remains uncertain, the consequences of the regreSSHion vulnerability could result in a complete system takeover, facilitating the installation of malware and the establishment of backdoors.

OpenSSH, a protocol intended to secure communication over unsecured networks in a client-server framework, is extensively utilized by enterprises for remote server management and secure data transmission. Qualys reports that research using Shodan and Censys services has revealed over 14 million potentially vulnerable OpenSSH instances accessible directly from the internet, with approximately 700,000 of these systems appearing susceptible based on Qualys’ customer data.

The vulnerability, CVE-2024-6387, is identified as a regression of a previously patched flaw traced back to CVE-2006-5051. Notably, the vulnerability resurfaced in October 2020 with the launch of OpenSSH 8.5p1, impacting glibc-based Linux systems. However, systems running OpenBSD are immune to this threat due to a safeguard implemented in 2001. The inadvertent removal of the vulnerability occurred with the release of version 9.8p1, and organizations unable to promptly update are advised to deploy forthcoming patches from vendors.

Qualys has refrained from sharing proof-of-concept (PoC) code to deter malicious exploitation but has disclosed technical details for regreSSHion and provided indicators of compromise (IoCs) to aid organizations in detecting potential attacks. This development serves as a reminder of the ongoing cybersecurity challenges faced by organizations and the critical importance of promptly addressing vulnerabilities to safeguard systems and data.