Researchers uncover rare, difficult-to-exploit OpenSSH vulnerability
It’s not often that an OpenSSH vulnerability is discovered, so when researchers at the cybersecurity firm Qualys revealed a flaw in the widely used secure communications protocol, it set the security community buzzing.
The vulnerability in the OpenSSH networking tool affects nearly 14 million vulnerable instances, according to Qualys, and experts are scrambling to patch the bug before it is exploited. Dubbed regreSSHion, the vulnerability is severe and can be used to gain full access to affected systems and to bypass firewalls. The bug takes advantage of a timing issue that was fixed nearly a decade ago but was re-introduced in 2020, a phenomenon known as “regression” that inspired the bug’s name.
But experts are cautioning that the bug — CVE-2024-6387 — is difficult to exploit even under the best conditions, and most modern systems have defenses against this type of attack.
Omkhar Arasaratnam, general manager of the Open Source Security Foundation, said the researchers had to use specific laboratory conditions to ensure a successful intrusion.
“Qualys came up with situations through which they were able to take a thing that may take weeks to a thing that could take hours, but it still relied upon an intentionally fragile environment for it to execute,” Arasaratnam said, noting that finding a bug in a program thought by many to be “rock solid” is impressive work.
OpenSSH noted that it took them eight hours of continuous connection before they were able to replicate a successful attack.
Jake Williams, former National Security Agency hacker, faculty at IANS Research and the vice president of research and development at Hunter Strategy, said in an email that the severity of the bug should not be overstated, cautioning that the “Internet is NOT on fire.”
“This disclosure also provides another opportunity to talk about the importance of zero trust. Most organizations don’t need SSH open to the whole Internet,” Sullivan said.
Qualys is not releasing a proof of concept for the vulnerability and so far no successful exploits have been released in the wild, giving defenders time to mitigate the bug.
Still, the discovery of a vulnerability in a ubiquitous piece of open-source software raises concerns that it will linger unpatched on significant numbers of systems. Vulnerable versions of the software Log4j are still prevalent in the wild and exploited by state-backed hackers, even though the Log4Shell exploit was revealed years ago.
RegreSSHion only appears to impact Linux systems that are 32 bit, which are typically older computer systems that — in this case — lack a modern security technique that appears to block the bug, dramatically decreasing the number of affected systems.
Arasaratnam noted that the bug would be avoided by using memory-safe languages, the transition to which is a key priority of the Biden administration to better secure the open-source ecosystem on which the world’s digital systems rely.
A string of high-profile vulnerabilities affecting open-source software and malicious efforts to manipulate the maintenance of open-source tools has led to concerns about the security of open-source software. Both financially motivated criminals and state-backed hackers have been targeting open-source code and developers in an effort to infect their victims further down the supply chain ecosystem.
This story was updated July 3, 2024 to the correct the spelling of Omkhar Arasaratnam’s name. It was updated again July 10, 2024, to add to Jake Williams’ title.