OpenSSH, considered one of the “most secure software implementations in the world,” has a “clear gap” that could allow attackers to completely take over Linux systems on which it is installed, experts warn.
a report According to Qualys, the vulnerability has existed in OpenSSH for four years and currently affects approximately 14 million endpoints worldwide.
Qualys dubbed its finding “regreSSHion” and says it is now being tracked as CVE-2024-6387. The flaw was named “regreSSHion” because it is a regression of the previously patched vulnerability CVE-2006-5051, which was fixed in 2006. A regression is a flaw that was once fixed but later reintroduced.
Regression
“If exploited, this vulnerability could allow an attacker to execute arbitrary code with escalated privileges, potentially leading to a complete system takeover, malware installation, creation of backdoors, and more,” the researchers said.
In a blog post describing the findings, Qualys noted that anonymized data from CSAM 3.0 with External Attack Surface Management data showed that approximately 700,000 remote instances with internet access were vulnerable.
“This represents 31% of all Internet-facing instances running OpenSSH in our global customer base,” the researchers added. “Interestingly, over 0.14% of vulnerable Internet-facing instances running OpenSSH service are running an End-Of-Life/End-Of-Support version of OpenSSH.”
According to the researchers’ alert, the vulnerability is as severe as the Apache Log4J issue discovered in 2021. That issue, tracked as CVE-2021-44228 and dubbed Log4Shell, was found in the Log4J logging library, which is widely used in Java applications. It allowed attackers to remotely execute malicious code and essentially take over the entire endpoint.
It was said to affect a large number of organizations across industries, including powerhouses such as Apple, Amazon, Tesla, and others. While the exact number of affected companies is impossible to determine, the general consensus is that Log4Shell affected hundreds of millions of applications and devices worldwide.