Contact Us
Security Business Continuity

The “RegreSSHion” Bug: Risks and Response 

light bulbs with cogs

Following yesterday’s discovery of a high-severity vulnerability in OpenSSH known as #RegreSSHion, Systal’s DFIR Manager James McGoldrick explains the risks involved and steps needed to secure your environment.

On 1st July 2024, researchers from Qualys published a blog post outlining a remote code execution vulnerability within the SSH server (sshd) implementation in glibc-linux installations:RegreSSHion. This vulnerability can allow a remote, unauthenticated attacker to remotely execute code on affected devices with root privileges.  

This means that SSH servers exposed to the internet are vulnerable to remote takeover by anyone who has the technical ability to leverage this race condition – or anyone who can harness and re-use any proof-of-concept code found on the internet.  

Given that SSH stands for ‘Secure Shell’ and the purpose of the protocol is to provide secure remote access for system admins and other remote users, it will be no surprise that there are a huge number of systems on the internet which are exposed to this new potent vulnerability 

The Risks 

This highlights two key problems facing companies in an ever more connected world:  

        1. Security by design is hard. 

The Qualys researchers demonstrate in their blog post that the vulnerability is a regression of CVE-2006-5051 which was discovered in 2006. This vulnerability was fixed in OpenSSH update 4.4p1.  

In OpenSSH version 8.5p1 however, new functionality relating to syslog integration caused the previously patched race condition to resurface. This fact was not noticed or appreciated at the time, and it was not discovered again until the Qualys researchers published their blog yesterday.  

This demonstrates how difficult it can be to maintain perfect security in complex protocols and technologies which are always being pushed to offer more functionality and connectivity. The vulnerability in this case arises due to a complex inter-relationship between several operating system components out with the SSHD protocol itself and requires a deep understanding of system architecture to identify it and craft a successful exploit.  

        2. Security is the enemy of convenience. 

Businesses constantly strive to reduce friction, maximise efficiency and create solutions that are easy and affordable to manage and use. Securing systems against exploitation however can often mean barriers are put in place which make these objectives difficult. The RegreSSHion vulnerability is an example of this. Exposing the SSH protocol to the public internet can allow for convenient server maintenance from across the planet but it comes with the risk that your systems could be remotely compromised when vulnerabilities like this surface.  

The Response  

With regard to the RegreSSHion vulnerability specifically, making sure you are not running an affected version of sshd on publicly routable devices is of paramount importance.  

Any version of sshd earlier than 4.4p1 is vulnerable to the original race condition vulnerability – it should be very unlikely that any system still online is running this old version of sshd.  

Versions between 4.4p1 and 8.5p1 are safe from this vulnerability.  

Versions between 8.5p1 and 9.8p1 are vulnerable due to the removal of a previous function component which patched the earlier vulnerability.  

If you cannot patch affected systems in the short term, you should consider restricting access to SSH services using a firewall. Ideally, you should whitelist trusted IPs that have a legitimate need to access these services over the internet.  

You could also consider changing the LoginGraceTime parameter within your sshd_conf file on any vulnerable servers to a value of 0. This will however mean that login attempts to your server will never time out and could allow server resources to be saturated and lead to a DoS condition for SSH connections if not the server itself. This should not be considered as a long-term solution.  

For many companies maintaining an accurate image of their exposed assets, software versions and associated configurations is a significant challenge in and of itself. Systal Security Solutions offers a number of services and resources that can help identify your critical assets and protect them in a cost-effective and easy-to-manage way without increasing the burden on your daily business operations:  

  • Vulnerability Management: Our comprehensive Vulnerability Management service can help you maintain oversight of your estate and quickly identify which devices are vulnerable to issues like regreSSHion. 
  • Managed Network Services: Our team of highly experienced network architects and engineers can help design a robust and fit-for purpose network that meets your business needs securely, ensuring that only trusted sites and individuals have access to your critical assets. Our managed network services are supported by class leading change management and design methodologies that ensure you stay on top of your network design and topology at all times, even as your operation grows. 
  • SOC as a Service: Our Security Operations Centre as a Service can monitor your estate in real-time, identifying attempts to exploit vulnerabilities like this and responding before an attempted intrusion is successful – this provides assurance that even zero-day exploits will be halted in their tracks. 
  • Identify and Access Management: Our comprehensive suite of Identify and Access Management offerings can help place your critical assets behind an additional layer of Role Based Access Control and authentication, ensuring that only the right people at the right time can access your systems. 
  • CSIRT and DFIR Capability: Our highly experienced Cyber Incident Response Team and Digital Forensics Analysts can support you in the event that you may have fallen victim to a breach already, identifying the scope and scale of the intrusion and supporting your return to safe business operations as quickly as possible.  
Concerned? Contact Us 

If you have any concerns over the recently published regreSSHion vulnerability or would like support in securing your environment. Please get in touch with the Systal team to discuss how we can take the hassle out of Security and help you focus on success with an easy mind!  

About the author:  

James McGoldrick is a Digital Forensics and Incident Response (DFIR) Manager with Systal and has over 8 years’ experience in Cybercrime Investigation – 5 years of which were served in a UK Law Enforcement setting. James works with an experienced team of managed Network and Security Service engineers and consultants and works with them to provide class leading services in Incident Response, Professional Service Consultancy and Managed Network and Security Services globally.  

Contact Systal's Experts

Have a question or want to discuss your technology and key business challenges?

Contact us