RegreSSHion
RegreSSHion is a family of security bugs in the OpenSSH software that allows for an attacker to remotely execute code and gain potential root access on a machine running the OpenSSH Server.
The vulnerability was discovered by the Qualys Threat Research Unit and was disclosed on July 1, 2024. It affected all prior versions of OpenSSH from 8.5p1 to 9.7p1 and was patched in release 9.8/9.8p1 on July 1, 2024. Qualys reported identifying over 14 million public facing OpenSSH instances potentially vulnerable to the attack.
It affects glibc-based Linux systems; Windows and OpenBSD systems are not vulnerable to the attack.
Disclosure
The vulnerability was publicly disclosed by Qualys on July 1, 2024. Qualys reported disclosing the vulnerability to the OpenSSH developers on May 19, approximately two months prior, and reported notifying OpenWall on June 20, 2024.Vulnerability
The regreSSHion vulnerability in OpenSSH results from a signal handler race condition in its server component. This issue is triggered when a client fails to authenticate within the LoginGraceTime period. When this timeout occurs, sshd's SIGALRM handler is called asynchronously, invoking functions that are not safe to use in signal handlers, such as syslog. In versions < 4.4p1, an attacker could exploit thefree function during syslog within the signal handler. However, in versions from 8.5p1 to 9.7p1, both the free and malloc functions are targeted.This vulnerability is a regression of CVE-2006-5051, reintroduced in OpenSSH 8.5p1 due to the accidental removal of a crucial directive that had mitigated the earlier vulnerability. The directive transformed unsafe calls into a safe _exit call.
Affected versions
Note: The following versions are referring to the upstream versions. Checking the versions shipped by—for example—a Linux distribution is not enough to validate it being vulnerable or not as many have backported fixes to older versions. e.g. Debian's OpenSSH version 9.7p1-7 ''and Rocky Linux's OpenSSH version 8.7p1-38.4 are also not vulnerable.''| Legend: | Vulnerable | Not Vulnerable |
| Release | Status | Date |
| < 4.4p1 | Vulnerable if not patched against CVE-2006-5051 or CVE-2008-4109 | Before Sep. 27th, 2006 |
| 4.4p1 ≤ OpenSSH < 8.5p1 | Not vulnerable due to presence of mitigation directive | Sep. 27th, 2006 - Mar. 3rd, 2021 |
| 8.5p1 ≤ OpenSSH < 9.8p1 | Vulnerable again because the directive was removed | Mar. 3rd, 2021 - Jul. 1st, 2024 |
| ≥ 9.8p1 | Patched officially | After Jul. 1st, 2024 |