OpenSSH has a strong track record when it comes to security, but a new bug mirrors the last time it had a similarly catastrophic vulnerability (nearly 20 years ago). The current OpenSSH vulnerability is at present the discovery of security researchers and not yet in the wild, but it is expected that threat actors will figure it out before long. The issue would provide an attacker with Remote Code Execution (RCE) and should be addressed immediately, but patching may be a challenge for some organizations.
RCE exploit in OpenSSH could grant attackers total control
The good news is that security firm Qualys notified the OpenSSH team prior to the public disclosure of regreSSHion, and the RCE vulnerability was patched out in the most recent release of the software (9.8, issued at the beginning of July).
The bad news is that patching will not be a simple process for many organizations, and in some cases will not be possible. Organizations should first check to see if they are running a vulnerable version; anything on OpenBSD is reportedly safe, but otherwise there is a specific range of versions from 2020 to 2024 that are subject to the new OpenSSH vulnerability. Should an organization be unable to patch, Qualys does have at least one immediate remediation suggestion. However, it will involve creating a new potential vulnerability to denial-of-service attacks.
The news is not all bad for those who have trouble patching, however. Qualys says there is no sign of it being used in the wild yet, and while it believes threat actors will follow the trail of clues to it they will also need substantial resources and skill to exploit it. Exploiting the new OpenSSH vulnerability requires initiating and winning a race condition, and the researchers found that 100 connections running simultaneously would ultimately take about six to eight hours (and about 10,000 attempts) to achieve RCE on a target.
That means two things: attackers will probably have to use botnets, and the approach will be very noisy and should be quite possible for network monitoring tools and firewalls to pick up on.
OpenSSH vulnerability impacts very old and very new versions
As the OpenSSH vulnerability builds on a flaw patched out of the software all the way back in 2006, it impacts very old and very new versions with a big slice in the middle not affected at all.
Versions from 2006 and before that were not previously patched, should those even exist, are now also vulnerable to this new RCE attack. Just about everything from 2007 to October 2020 is unaffected, however, as it was a coding error in an October update that year that re-introduced the old bug in a modified form. The new OpenSSH vulnerability thus runs from that point to the 9.8 update that came at the start of July this year.
Qualys counts 14 million potentially impacted instances, though only a little over half a million of these were external and internet-facing. Though the researchers described the necessary steps to achieve RCE as “complex,” they also do not involve user interaction at the target in any way.