Weekly Workflow: RegreSSHion

Is your OpenSSH server a part of the 700,000 at risk?

‍Qualys Threat Research Unit (TRU) has uncovered a critical Remote Unauthenticated Code Execution (RCE) vulnerability, identified as CVE-2024-6387, affecting OpenSSH servers on glibc-based Linux systems. 

This vulnerability, stemming from a signal handler race condition, allows an unauthenticated attacker to execute arbitrary code with root privileges.

How Qualys identified internet-facing vulnerable servers:

1. Internet-wide scanning: Censys and Shodan were used to identify a large pool of potentially vulnerable OpenSSH servers exposed to the internet.
2. Vulnerability assessment: Qualys CSAM 3.0 was employed to scan a specific customer base, identifying approximately 700,000 vulnerable instances.
3. Vulnerability signature matching: Qualys' vulnerability detection engine compared the OpenSSH versions running on scanned systems against a known vulnerable version database.
4. Data analysis: The percentage of vulnerable instances and the presence of end-of-life OpenSSH versions were calculated to provide insights into the vulnerability's prevalence and risk.

Qualys has successfully developed a proof-of-concept exploit and has coordinated responsible disclosure with the OpenSSH project. It's important to note that this vulnerability represents a regression of a previously patched issue (CVE-2006-5051), underscoring the criticality of robust regression testing in software development.

Blink is a pioneering security automation platform that functions as a copilot for security experts. By utilizing intuitive prompts, Blink empowers teams to streamline complex processes across disparate tools, significantly enhancing efficiency and productivity.