Proof of Concept Released for Critical RegreSSHion Vulnerability
Overview
The name RegreSSHion refers to a vulnerability tracked as CVE-2024-6387 within OpenSSH that enables remote code execution and potentially grants attackers root privileges on servers running the OpenSSH server. It was uncovered by the Qualys Threat Research Unit in May 2024.
RegreSSHion presents in every version of OpenSSH stretching from 8.5p1 through to 9.7p1. A fix was delivered on the day of publication in 9.8p1. At the time of publication, Qualys reported that 14 million publicly accessible OpenSSH instances could have been exposed to this threat. Responsible disclosure was practiced allowing OpenSSH contributors to develop a fix before the vulnerability was published to the public. Readers should note that Linux systems using the GNU C library – commonly referred to as glibc – as its standard C library were impacted. This leaves all other platforms invulnerable to RegreSSHion at the time of writing.
Technical Overview
A race condition in sshd’s (OpenSSH server component) signal handler sits at the core of the RegreSSHion vulnerability. Exploitation occurs when an SSH client fails to authenticate within the configured login grace period. Once the timeout occurs, sshd’s signal handler is invoked asynchronously. Functions exist within this handler that are not async safe and introduce a race condition. This vulnerability is a regression of an older vulnerability tracked as CVE-2006-5051 present in OpenSSH versions 4.4p1 and below introduced by targeting the free() function asynchronously. By removing a crucial condition that had mitigated the earlier vulnerability, CVE-2024-6387 was introduced instead targeting free() and malloc().
Impact
RegreSSHion (CVE-2024-6387) poses a critical risk to organisations running OpenSSH versions 8.5p1 through 9.7p1. By exploiting the race condition in sshd’s signal handler, attackers can execute arbitrary code remotely and potentially escalate their privileges to root on affected servers. The scope of this vulnerability is significant, as Qualys
estimated that 14 million publicly accessible OpenSSH instances were at risk when the vulnerability was disclosed.
It is important to note that only Linux distributions using the GNU C Library (glibc) are currently affected. Other platforms, which do not rely on glibc, are not impacted by RegreSSHion. Nonetheless, because OpenSSH is commonly used to administer systems remotely, a successful exploit could allow attackers to fully compromise a target server, steal sensitive data, install persistent backdoors, or move laterally across a network. Organisations using vulnerable versions of OpenSSH are therefore urged to update to OpenSSH 9.8p1 or later as soon as possible.
Vulnerability Detection
OpenSSH versions 8.5p1 through 9.7p1 are likely to contain the RegreSSHion vulnerability. However, many Linux distributions backport security patches into older versions, so merely comparing upstream OpenSSH version numbers is not a reliable way to determine whether RegreSSHion is present. In such cases, it is essential to consult the distribution’s documentation and changelogs to confirm whether the packaged OpenSSH application is vulnerable.
Exploitation
Exploitation of RegreSSHion requires some effort with exploitation attempts potentially leaving an audit trail. Vulnerabilities introduced by race conditions can typically require multiple exploitation attempts before the desired outcome of the race condition is achieved, and RegreSSHion is no exception.
This bulletin comes after a proof-of-concept exploit was released which could increase the accessibility of this exploit and administrators should expect more exploitation attempts since the proof-of-concept was released.
Despite the discovery of the vulnerability dated around July 2024, the vulnerability was introduced into OpenSSH in October 2020 where it remained vulnerable until disclosure.
Containment, Mitigations & Remediations
Administrators should apply patches as soon as possible to the OpenSSH application if they suspect they are vulnerable. Additionally, where patching remains difficult, it is possible to modify the login grade period to 0. However, this opens up OpenSSH servers to denial-of-service attacks and should only be considered as a temporary workaround.
Additional Information
Here is the GitHub commit that re-introduced the vulnerability.
upstream: revised log infrastructure for OpenSSH · openssh/openssh-portable@752250c · GitHub
Critical Apache Struts File Upload Vulnerability
Overview
A critical severity vulnerability in Apache Struts with a CVSS version 4.0 score of 9.5 has been reported under CVE-2024-53677.
A flaw in the file upload logic of Apache Struts can allow attackers to manipulate file upload parameters to enable path traversal, thus potentially allowing them to upload files to restricted directories or perform Remote Code Execution.
Impact
This vulnerability can be exploited to allow an attacker to upload malicious payloads which could then be used to run malicious commands, download additional malicious packages, or access and exfiltrate confidential data.
Vulnerability Detection
Apache has released a security update addressing the security flaw. Struts 2.0.0 through Struts 2.3.37 (EOL), Struts 2.5.0 through Struts 2.5.33 (EOL), and Struts 6.0.0 through Struts 6.3.0.2 are affected if using File Upload Interceptor.
Exploitation
Multiple instances of malicious activity matching the publicly available Proof of Concept have been reported.
Containment, Mitigations & Remediations
We recommend all users of vulnerable versions update to Struts 6.4.0 or later and migrate from File Upload Interceptor to the newer Action File Upload ASAP.
Please note that Action File Upload is not backwards compatible with your old actions written for File Upload Interceptor, and these will need to be rewritten, however continuing to use File Upload Interceptor will leave you vulnerable to this attack.
There is no known workaround at this time.
Threat Landscape
Apache Struts is a free, open-source web framework for developing Java web applications. It is integral to many corporate IT systems, used in public-facing portals, internal productivity tools, and many business-critical processes. Due to its widespread use in crucial environment exploitation could have significant and far-reaching consequences.
