A vulnerability that was patched in 2006, eighteen years ago, has made a comeback, with a new nickname: RegreSSHion. It was introduced in 2020 during a mishandling of the OpenSSH code. Its presence was only recently spotted.
It was thought to be dead and buried for eighteen years. Unfortunately, the CVE-2006-5051 vulnerability, corrected in 2006, has just resurfaced. The computer security company Qualys has just sounded the alarm in an article published on July 1st. The nickname of this vulnerability that is making a comeback? RegreSSHion.
A well-chosen nickname: in fact, the incident affects OpenSSH. This is a set of tools used to secure network connections and remotely control computers, via encryption processes in order to protect the data exchanged. It is a free implementation of SSH (Secure Shell), a secure communication protocol.
A faulty update that puts the flaw back in place
However, the nature of the problem detected by Qualys turns out to be a software regression. Here, a defect appeared in OpenSSH following an update of a code change, which impaired the proper functioning of the software. This deterioration in the quality of OpenSSH took place in October 2020 with the OpenSSH 8.5p1 revision.
The problem is serious. First, by the nature of the flaw itself. It received a severity rating of between 8.1 and 9.3 out of 10. The closer the score is to the maximum rating, the higher the criticality. The dangerousness of computer flaws is measured according to a particular protocol, revised from time to time, called the CVSS.
It has also been the subject of alert bulletins from organizations such as the Government Center for Monitoring, Alerting and Response to Computer Attacks (CERT-FR) in France and the National Institute of Standards and Technology (NIST) in the United States.
It is also very serious about the nature of the software that is affected. “Based on research […]we have identified more than 14 million instances of OpenSSH servers that are potentially vulnerable and exposed to the Internet,” Qualys writes. In a sign of OpenSSH’s sensitivity, it has received material or financial support from Google, DuckDuckGo and even the EU.
According to the description made by CERT-FR, ” This vulnerability allows an unauthenticated attacker to execute arbitrary code remotely with root privileges. ” on some ” 32-bit Linux systems ” One limit, however: ” Operation requires between six and eight hours of continuous connections “, which slightly reduces exposure.
In detail, the versions of OpenSSH concerned are:
- OpenSSH versions prior to 4.4p1, unless patched for CVE-2006-5051 and CVE-2008-4109;
- Versions 8.5p1 to 9.8p1 inclusive, due to accidental removal of a critical component in a function.
It is worth noting that OpenBSD systems are immune, as OpenBSD has implemented a mechanism in 2001 that prevents this vulnerability from having any harmful effects. OpenSSH versions between 4.4p1 and up to 8.5p1 (not included) are also safe. For Linux 64 systems, their exposure to the threat is assumed, but not proven.
The good news is that this new vulnerability, codenamed CVE-2024-6387, can already be contained or even countered. As of July 1, 2024, some Linux distributions have released patches for vulnerable versions “, indicates the CERT-FR, which refers to its documentation.
Subscribe to Numerama on Google News to never miss a thing!
