Qualys published a blog posts with details regarding a critical remote code execution vulnerability [1]
This week is far from ideal to have to deal with a critical vulnerability in widely used software like OpenSSH. So I want to save you some time by summarizing the most important points in a very brief post:
The CVEs associated with this vulnerability are CVE-2006-5051 and CVE-2024-6387,
The reason for the two CVE numbers and the use of the old 2006 CVE number is that this is a regression. An old vulnerability that came back. Sadly, this happens somewhat regularly (not with OpenSSH, but software in general) if developers do not add tests to ensure the vulnerability is patched in future versions. Missing comments are another reason for these regressions. A developer may remove a test they consider unnecessary.
The vulnerability does allow arbitrary remote code execution without authentication.
OpenSSH versions up to 4.4p1 are vulnerable to CVE-2006-5051
OpenSSH versions from 8.5p1 to 9.8p1 (this is the version patched version)
Remember that many Linux distributions will not increase version numbers if they are backporting a patch
This is a timing issue, and exploitation is not easily reproducible but takes about 10,000 attempts on x86 (32-bit).
This speed of exploitation is limited by the MaxStartups and LoginGraceTime.
Exploitation for AMD64 appears to be not practical at this time.
Most Linux systems are currently running on 64-bit architectures. However, this could be a big deal for legacy systems / IoT systems in particular if no more patches are available. Limiting the rate of new connections using a network firewall may make exploitation less likely in these cases. First of all, a patch should be applied. But if no patch is available, port knocking, moving the server to an odd port or allowlisting specific IPs may be an option.
[1] https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server
—
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.