ALERT: Update OpenSSH on Linux Servers for Critical Vulnerability
Tuesday, July 2, 2024
This message is intended for U-M IT staff who are responsible for university Linux systems using OpenSSH server.
Summary
A critical vulnerability in OpenSSH server, dubbed “regreSSHion,” allows unauthenticated remote code execution (RCE) to get root privileges on glibc-based Linux systems. It is tracked as CVE 2024-6387. Apply the latest available update for the OpenSSH server (version 9.8p1) to fix the vulnerability.
Problem
OpenSSH is a suite of networking utilities based on the Secure Shell (SSH) protocol, which is extensively used for secure remote login, remote server management and administration, and file transfers via SCP and SFTP. The regreSSHion vulnerability in OpenSSH's server (sshd) could allow an unauthenticated attacker to use RCE to get root privileges on glibc-based Linux systems.
Threats
The vulnerability due to a signal handler race condition in sshd could allow unauthenticated remote attackers to execute arbitrary code as root. Qualys believes that around 700,000 internet-facing instances could feasibly be hit by regreSSHion.
Affected Versions
- OpenSSH versions earlier than 4.4p1 are vulnerable to this signal handler race condition unless they are patched for CVE-2006-5051 and CVE-2008-4109.
- Versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable due to a transformative patch for CVE-2006-5051, which secured a previously unsafe function.
- The vulnerability resurfaces in versions from 8.5p1 up to, but not including, 9.8p1 due to the accidental removal of a critical component in a function.
Action Items
Apply the latest available update for the OpenSSH server (version 9.8p1).
Technical Details
If a client doesn't authenticate within the maximum time a successful authentication attempt to sshd is allowed (set to 120 seconds by default), the server's SIGALRM handler is called asynchronously. This signal handler can then call functions that aren't async-signal-safe, which can be exploited to execute arbitrary code.
How We Protect U-M
ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.
Questions, Concerns, Reports
Please contact ITS Information Assurance through the ITS Service Center.
References
- regreSSHion: Remote Unauthenticated Code Execution Vulnerability in OpenSSH server (Qualys, 7/1/24)
- Millions of OpenSSH Servers Potentially Vulnerable to Remote regreSSHion Attack (Security Week, 7/1/24)
- New regreSSHion OpenSSH RCE bug gives root on Linux servers (Bleeping Computer, 7/1/24)
- Nasty regreSSHion bug in OpenSSH puts around 700K Linux boxes at risk (The Register, 7/1/24)