OpenSSH, considered one of the “most secure software implementations in the world,” has a “glaring loophole” that allows threat actors to take complete control of Linux systems that have it installed, experts have warned.
A Qualys report claims the vulnerability has been present in OpenSSH for four years and is currently affecting around 14 million endpoints worldwide.
Qualys dubbed its finding “regreSSHion” and says it is now being tracked as CVE-2024-6387. The flaw was named “regreSSHion” because it is a regression of the CVE-2006-5051 vulnerability, which was previously patched in 2006. A regression is a flaw that was previously patched but then reappeared.
Regression
“If exploited, this vulnerability allows an attacker to execute arbitrary code with highest privileges, leading to full system takeover, malware installation, backdoor creation, and more,” the researchers said.
In a blog post detailing the findings, Qualys says anonymized data from its CSAM 3.0 with external attack surface management data revealed that approximately 700,000 internet-connected external instances were vulnerable.
“This represents 31% of all internet-facing instances using OpenSSH in our global customer base,” the researchers added. “Interestingly, over 0.14% of vulnerable internet-facing instances using the OpenSSH service have a version of OpenSSH that has reached end of life or end of support running.”
According to the researchers' warning, the vulnerability is as severe as the Apache Log4J issue discovered in 2021. That issue, tracked as CVE-2021-44228 and dubbed Log4Shell, was found in the Log4J logging library, widely used in Java applications. It allowed threat actors to remotely execute malicious code and essentially take control of the entire endpoint.
It was said to have affected a large number of organizations across different industries, including large companies such as Apple, Amazon, Tesla, and others. While it is impossible to determine the exact number of affected companies, the general consensus is that Log4Shell affected hundreds of millions of applications and devices worldwide.
