‘RegreSSHion’ bug raises alarms but experts question chances of widespread exploitation

A new vulnerability affecting Linux systems has caused alarm over the last 48 hours among security researchers, although some experts have cast doubts about whether widespread exploitation of the bug is likely. 

On Monday, researchers from cybersecurity firm Qualys unveiled a report on CVE-2024-6387 — colloquially known as “RegreSSHion.” A patch is available to resolve the issue.

The vulnerability is found in OpenSSH’s server in glibc-based Linux systems. 

Saeed Abbasi, product manager of vulnerability research at Qualys, told Recorded Future News the best way to understand the issue is to imagine a very secure lock on your front door that only lets people in if they have the right key.

“This lock is used in many houses worldwide because it is very safe. However, we’ve discovered a flaw in this lock — a hidden way to open it without a key, and someone could sneak in without you noticing,” he said. 

Matt Moore, the chief technology officer at the security company Chainguard, explained that OpenSSH is a free open source collection of networking tools used predominantly by system administrators to manage remote systems across platforms. 

It is also used for securely transferring files and for accessing services in the cloud without exposing a local machine's ports to the Internet, he said. OpenSSH encrypts all traffic between client and server to prevent eavesdropping, connection hijacking, and other attacks.

“In simpler terms, this is the equivalent of a bank vault being already unlocked during a robbery, attackers can use this to gain access and then laterally move to where the most important information is,” Moore said.

If exploited, the vulnerability would allow for a full system takeover where an attacker could install malware, manipulate data and create backdoors for persistent access. The researchers found that it is actually a version of a bug that was previously resolved — CVE-2006-5051 — and then reintroduced after recent code changes. 

Qualys’s Abbasi explained that searches on tools like Censys and Shodan show potentially 14 million internet-facing server instances that may be vulnerable to the bug, although Moore said it appears the blast radius for the bug is smaller than the entirety of the ecosystem using OpenSSH. 

Abbasi said the bug was particularly concerning because it affects the default configuration of OpenSSH and doesn't require user interaction.

The ubiquity of OpenSSH as a secure communication method “significantly broadens the potential repercussions of this vulnerability,” he added. 

“Within an enterprise setting, OpenSSH is utilized across various platforms, such as on-premise servers, cloud infrastructures, development environments, workstations, laptops, containerized environments, and network devices. This extensive deployment highlights the widespread impact a vulnerability could have,” he said. 

Questions about exploitation

While most experts said concerns about the bug were justified, others cast doubt on its severity. 

Moore noted the exploits for the vulnerability appear to only be viable for a certain kind of Linux server, most of which are relegated to 15-year-old systems. 

While it is not difficult to install the patch, the larger issue according to Moore is identifying what instances are using vulnerable versions. Organizations should focus on upgrading to the latest version of OpenSSH, with a priority placed on publicly exposed instances. 

Some tools identifying vulnerable systems have been created to help those in need. 

Experts at the cybersecurity firms Wiz and Palo Alto Networks said widespread exploitation is unlikely. Wiz said an attacker would need to know the version of Linux they are targeting in order to tailor the exploit, making the bug “inappropriate for widespread opportunistic exploitation.”

Palo Alto Networks said proof of concept code released on Monday has not worked in their exploit attempts, and as of Tuesday they have seen no exploit attempts in the wild. 

Contrast Security co-founder Jeff Williams added that attacks involving the vulnerability are “a bit noisy” and may take thousands of attempts to succeed — allowing defenders to detect and prevent the attacks before they are successful. Wiz echoed that assessment, explaining that successful exploitation “usually takes several hours of login attempts in total.” 

“No need to hit the panic button at this time,” said Ben Lister, threat research engineer at NetSPI.

“Due to its complexity, it would take an attacker between six hours and a week of persistent effort to successfully exploit the condition and gain a root shell — making it highly unlikely that we’ll experience mass exploitation, as we've seen with similar vulnerabilities. However, organizations should remain proactive and vigilant against the exploit.”