Cato CTRL Threat Brief: CVE-2024-6387 – OpenSSH RCE Vulnerability (“regreSSHion”)

TL; DR – Multiple versions of OpenSSH are vulnerable to remote code execution. There is no working public PoC, and researchers have only been able to exploit the vulnerability under unique lab conditions.

• Cato’s cloud infrastructure is NOT impacted
• Cato Sockets use one of the vulnerable OpenSSH versions, patches containing an upgrade to the latest OpenSSH version are in testing phase and will be released to the field for all supported Socket platforms (physical & virtual) for the following Socket versions:
  • Version 19 – last stable
  • Version 20 – latest

Cato Sockets by default do NOT have a publicly exposed SSH interface, it is always recommended to keep Cato Sockets LAN interface exposed only internally and use comprehensive network access controls to manage SSH access.

Vulnerability overview

Researchers from Qualys published their findings on July 1^st, deeming it worthy of a name like all pet CVEs making big news in the industry, naming it “regreSSHion” due to it being caused by a previous fix in OpenSSH and causing this regression in the code.

OpenSSH is one of the most widely used suite of tools on Unix based systems, used all over the world for securing communications to servers over the internet, secure file transfers and more. It is considered one of the more secure applications in the Unix world, to quote the researchers from Qualys – “this vulnerability is one slip-up in an otherwise near-flawless implementation”, and CVEs such as this finding are very rare indeed.

Impacted OpenSSH versions are:

• OpenSSH versions earlier than 4.4p1
• OpenSSH versions between 8.5p1 and 9.7p1

* Versions between 4.4p1 and 8.5p1 (not inclusive) are not vulnerable due to previously applied patch for a different vulnerability (CVE-2006-5051).

In the present research published by Qualys, under lab conditions and only successful against a 32bit system, the attack on average takes 6 – 8 hours to succeed, likely increasing in several orders of magnitude on 64bit systems and was not demonstrated.

Analysis of the vulnerability

The vulnerability was introduced to newer OpenSSH versions in October 2020 and is tied to a code regression of CVE-2006-5051, which was fixed originally for version 4.4p1 and later an incorrect fix of another CVE brought this issue back (hence the regression) and made version starting from 8.5p1 vulnerable.

The exploit leverages a race condition in the signal handler of sshd, the server component of OpenSSH. If the client fails to complete the authentication process within LoginGraceTime (which by default is 120s or 600s depending on the version in use), then a SIGALRM signal is raised calling a signal handler which runs asynchronously, calling additional unsafe functions running under root privileges which the researchers were able to exploit to run arbitrary code and gain root shell access.

The researchers have used a uniquely crafted lab environment to prove the RCE, trying to circumvent multiple protections all modern operating systems employ to protect against access to running memory, e.g. ASLR.

In the lab, using a 32-bit server and a low-latency network connection, it took an average of 6 to 8 hours to obtain a root shell after approximately 10,000 connection attempts. On top of the very long time to exploit, the massive number of connections needed is likely to be flagged by different network monitoring systems and is an easy vector to identify and block.

The attack for the time being is extremely complicated to perform in real-world conditions, with mitigations such as using fail2ban and limiting public access to OpenSSH – which is ALWAYS recommended – making it nearly impossible to exploit.

Public exploitation & prevention

No indications of exploitation attempts targeting Cato customers were found. And while PoC code has surfaced with a claim to exploit the vulnerability, Cato’s security research team has determined that it is not in fact a viable exploit and would not result in an RCE, including tests performed on Cato Sockets internally. However, it does lay a good foundation for exploiting this vulnerability, and we expect more attempts to be released soon.

Cato’s security research team continues to analyze this threat to determine the possible exploitation avenues and how they meet existing prevention policies and introduce new logic to address the issue specifically.

Summary

A remote code execution in multiple versions of OpenSSH was discovered, there is no working public PoC available and exploitation in real-world conditions is impractical to near impossible.

Nonetheless due to the high profile of the CVE and quickly evolving landscape, if an exploit PoC surfaces in the future it is important that all systems are patched. Just as important are strict network access controls limiting public SSH access, including of course Cato Sockets which should never be internet facing on the management side.