ALERT: Update OpenSSH on Linux Servers for Critical Vulnerability

07/03/2024
linux and openssh logos with warning signs

This message is intended for U-M IT staff who are responsible for university Linux systems using OpenSSH server.

 

Summary

A critical vulnerability in OpenSSH server, dubbed “regreSSHion,” allows unauthenticated remote code execution (RCE) to get root privileges on glibc-based Linux systems. It is tracked as CVE 2024-6387. Apply the latest available update for the OpenSSH server (version 9.8p1) to fix the vulnerability.

Problem

OpenSSH is a suite of networking utilities based on the Secure Shell (SSH) protocol, which is extensively used for secure remote login, remote server management and administration, and file transfers via SCP and SFTP. The regreSSHion vulnerability in OpenSSH's server (sshd) could allow an unauthenticated attacker to use RCE to get root privileges on glibc-based Linux systems.

Threats

The vulnerability due to a signal handler race condition in sshd could allow unauthenticated remote attackers to execute arbitrary code as root. Qualys believes that around 700,000 internet-facing instances could feasibly be hit by regreSSHion.

Affected Versions

  • OpenSSH versions earlier than 4.4p1 are vulnerable to this signal handler race condition unless they are patched for CVE-2006-5051 and CVE-2008-4109.
  • Versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable due to a transformative patch for CVE-2006-5051, which secured a previously unsafe function.
  • The vulnerability resurfaces in versions from 8.5p1 up to, but not including, 9.8p1 due to the accidental removal of a critical component in a function.

Action Items

Apply the latest available update for the OpenSSH server (version 9.8p1).

Technical Details

If a client doesn't authenticate within the maximum time a successful authentication attempt to sshd is allowed (set to 120 seconds by default), the server's SIGALRM handler is called asynchronously. This signal handler can then call functions that aren't async-signal-safe, which can be exploited to execute arbitrary code.

How We Protect U-M

ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.

 

This item first appeared on the ITS website.