Warning that the vulnerability allows unauthenticated remote code execution as root.
A Remote Unauthenticated Code Execution vulnerability has been discovered in the OpenSSH’s server.
According to the detection by Qualys Threat Research Unit, the vulnerability allows unauthenticated remote code execution as root on glibc-based Linux systems, and based on Censys and Shodan searches, over 14 million potentially vulnerable OpenSSH server instances have been identified as being exposed to the Internet.
Also, anonymized data from Qualys found that approximately 700,000 external internet-facing instances are vulnerable - accounting for 31% of all internet-facing instances with OpenSSH in its global customer base.
Previously Patched Vulnerability
This vulnerability has been identified as CVE-2024-6387, and is a regression of the previously patched vulnerability CVE-2006-5051, which was reported in 2006. Bharat Jogi, senior director of the Qualys Threat Research Unit, said a regression in this context means that a flaw, once fixed, has reappeared in a subsequent software release, typically due to changes or updates that inadvertently reintroduce the issue.
“This incident highlights the crucial role of thorough regression testing to prevent the reintroduction of known vulnerabilities into the environment,” he said. “This regression was introduced in October 2020 (OpenSSH 8.5p1).”
OpenSSH versions earlier than 4.4p1 are vulnerable to this signal handler race condition unless they are patched for CVE-2006-5051 and CVE-2008-4109.
Qualys warned that if exploited, this vulnerability could lead to full system compromise where an attacker can execute arbitrary code with the highest privileges, resulting in a complete system takeover, installation of malware, data manipulation, and the creation of backdoors for persistent access.
Exploit could also facilitate network propagation, allowing attackers to use a compromised system as a foothold to traverse and exploit other vulnerable systems within the organization.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
