They have named this vulnerability “regreSSHion”, since it represents the re-emergence of a bug that was previously patched in 2006
That’s a great name
Agreed, but I had to disable autocorrect to type it on my phone.
Playful and descriptive!
The new vulnerability, assigned CVE-2024-6387, allows for unauthenticated remote code execution (RCE) with root privileges, posing a severe threat to affected systems.
Oh, fuck. Guess this is my day now.
If I’m not mistaken, it seems like this is a timing attack and you need a lot of attack attempts to make it work. If you have like a fail2ban rule for ssh it should mitigate this attack to quite some degree, right? (Of course updating would still be the best).
While statistically unlikely, it would be possible to exploit the vulnerability on the first attempt
That’s true.
the in depth technical details
TL;DR; sigalarm handler calls syslog which isn’t safe to call from a signal handler context.
Their example exploit needed about 10k attempts to get a remote shell so it’s not fast or quiet, but a neat find regardless
I can already imagine the log generated will be a hint. We usually automate those anyway as it is closer to (D)DoS too.
The full write-up can be found here and should be fairly readable for users of this forum.
Some quotes that I thought were interesting:
With a heap corruption as a primitive, two FILE structures malloc()ated in the heap, and 21 fixed bits in the glibc’s addresses, we believe that this signal handler race condition is exploitable on amd64 (probably not in ~6-8 hours, but hopefully in less than a week). Only time will tell.
So 64-bit systems seem to be a bit more resistant to this it seems? But I can’t be completely sure given how much I’ve read about this yet.
This vulnerability is exploitable remotely on glibc-based Linux systems, where syslog() itself calls async-signal-unsafe functions (for example, malloc() and free()): an unauthenticated remote code execution as root, because it affects sshd’s privileged code, which is not sandboxed and runs with full privileges. We have not investigated any other libc or operating system; but OpenBSD is notably not vulnerable, because its SIGALRM handler calls syslog_r(), an async-signal-safer version of syslog() that was invented by OpenBSD in 2001.
It seems that non glibc-based systems also could be vulnerable, but they have not yet tried to demonstrate it yet (or have tried and not been successful).
And OpenBSD wins again it seems.
It’s shit like this that makes me convinced that governments can easily hack into pretty much every system
I mean, on TV every character seems to be able to hack any system in a few seconds.
They clearly must have done some research by watching some NSA hackers who can hack every system.
They probably can. jut every hack done has the possibility of spoiling the exploit. A good exploit can cost a million $. So if hacking you is worth more then say 100k to them, you’re in trouble. Otherwise they will only target you with everyday surveilance.
Most can’t, but that’s why clandestine cyber-intelligence firms like NSO group exist.
That’s a spooky one. From first glance - 500 employees and zero click takeovers of phones? Yikes. Makes me want to not have a phone… Ofc Google/Apple/USA have had this capacity for ages
Well only if they know about it before it gets patched…
That’s why there is a huge market for 0-day exploits.
Isn’t there attempts to sneak in vulnerabilities with new commits?
Yes, targeted attacks like that definitely exist, most famously maybe the most recent social pressure to merge a vulnerability to the xz library by actor “Jia Tan”:
This started a whole discussion about relying on (often unpaid) volunteer work for critical systems and the pressure and negativity these people face, which is a discussion that was absolutely needed, and which we are still lightyears away from fixing.
Currently, open source is still treated like this: https://trac.ffmpeg.org/ticket/10341
(I can only recommend reading the whole story around this issue, which boils down to Microsoft admitting they rely on an open source project for something they consider critical to their customers, but not willing to pay the maintainer a bounty for fixing the issue)
The NSA is doubtless sitting on a trove of these types of vulnerabilities to use when they really need access to something.
Good thing I’m on vacation for the next week and have my PC turned off. Remind me to update on Saturday
The fun thing about regressions: these things affects you if your system is new enough that it has the behaviour reintroduced. Which means you are less likely to be hit if you are using Debian Stable (or even Oldstable) than, say, Sid (unpatched at the time of writing this comment) or Arch btw.
You’re starting to understand the accidental wins in Enterprise software
Someone find the commit where they accidentally removed this critical component 😄
Jokes on you, I run Centos 7!
Maybe it is time to move to something new
Also why does sshd run as root. I deal like ssh could use some least privilege
