Authors: Vivek Doshi, Principal Product Manager, & Chase Snyder, Sr. PMM, Xage Security

Researchers at Qualys have warned of a critical vulnerability affecting the OpenSSH package that can be exploited to give attackers complete control of Linux systems with no authentication required. The CVE assigned is CVE-2024-6387 and has a risk level of 8.1 (high).

Potential Impact: Remote Code Execution

This vulnerability allows unauthenticated remote code execution with root system privilege on glibc based linux systems. 

According to Qualys Threat Research Unit, “this vulnerability, if exploited, could lead to full system compromise where an attacker can execute arbitrary code with the highest privileges, resulting in a complete system takeover, installation of malware, data manipulation, and the creation of backdoors for persistent access. It could facilitate network propagation, allowing attackers to use a compromised system as a foothold to traverse and exploit other vulnerable systems within the organization.

Moreover, gaining root access would enable attackers to bypass critical security mechanisms such as firewalls, intrusion detection systems, and logging mechanisms, further obscuring their activities. This could also result in significant data breaches and leakage, giving attackers access to all data stored on the system, including sensitive or proprietary information that could be stolen or publicly disclosed”

Qualys has developed a working exploit for this vulnerability. 

Any vulnerability that could grant an attacker arbitrary remote code execution (RCE) should be a high priority for mitigation. The widespread nature of OpenSSH means that millions of devices are likely vulnerable. Even though the CVE is relatively complex to exploit, the potential value is high enough that the risk should not be underestimated.

• OpenSSH versions earlier than 4.4p1 are vulnerable to this signal handler race condition unless they are patched for CVE-2006-5051 and CVE-2008-4109.
• Versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable due to a transformative patch for CVE-2006-5051, which made a previously unsafe function secure.
• The vulnerability resurfaces in versions from 8.5p1 up to, but not including, 9.8p1 due to the accidental removal of a critical component in a function

Xage Protects Critical infrastructure against CVE-2024-6387 

No Xage products are known to contain the vulnerable software. Furthermore, Xage can protect vulnerable systems between now and whenever the vulnerability can be patched. Here’s how it works:

Xage’s proxy architecture which proxies SSH over HTTPS can protect against RegreSSHion and other SSH vulnerabilities when a system running OpenSSH is made accessible only via Xage. With Xage, a user can securely access Linux Systems through a modern HTTPS browser. Since the SSH protocol is not exposed when using HTTPS proxy, Xage protects against SSH based attacks exploiting existing and even unpublished vulnerabilities. 

Organizations with systems that are vulnerable to RegreSSHion should patch those systems. But patching isn’t always simple or fast. And according to the 2024 Verizon Data Breach Investigation Report, half of Known Exploited Vulnerabilities still haven’t been remediated after 55 days. Patching takes time. 

The ability to protect your systems without having to shut down critical assets between vulnerability disclosure and remediation is valuable. Xage protects systems against exploitation even if they are vulnerable, acting as a mitigating control until customers are able to roll out patches to systems that often cannot be subject to the same update schedules as IT systems.

For more information about how Xage enables secure remote access while protecting vulnerable assets, read about our Zero Trust Remote Access solution.

Xage’s solution provides important benefits to ensure access to critical assets is secure and based on principles of least privilege 

• Identity Based Granular Access Control ensures only authorized users can access assets in the network thereby minimizing attack risks. Xage provides access management for every asset, including legacy assets, PLCs, and other critical infrastructure components, thereby enhancing overall security and ensuring that even the oldest equipment remains protected against modern threats.
• Per Asset MFA for remote access and local access: With Xage, admins can configure per asset MFA, an additional security measure, to protect against credential stuffing or password spraying, and to create an additional layer of defense against mfa fatigue attacks
• Linux Command Restrictions: Allows admins to control and restrict what commands each user can execute once they have access to an asset via SSH or other methods. For example, Xage can restrict root access to some users or disable commands such as scp or wget for others. This ensures that even if a malicious user with stolen credentials gains access to an asset, they will not be able to execute commands that may cause the asset to be compromised. These controls can be applied to employees of the organization, but can just as easily be used to grant controlled access to third party contractors or vendors
• Just-in-time and Just-enough access ensures access to critical infrastructure is time bound and limited to certain applications. These capabilities help organizations control access to privileged accounts or resources only when needed to perform their tasks. Instead of granting perpetual access to a privileged account, just-in-time helps organizations limit access to a specific resource or application for a specific time frame
• Credential rotation: Allows for password to be reset or rotated after a user logs out of a Linux system. Credential rotation reduces the chances of unauthorized access to sensitive systems and data by limiting the timeframe in which the credentials can be used
• Screen recording: Xage provides the ability to record ssh sessions for monitoring and compliance reasons. Admins can refer to recordings to understand what changes were made to a system or if they detect unusual activity on sensitive systems, as well as permit collaborative read-only viewing by an auditor or another admin, often referred to as escorted access.

Xage achieves all of this from a single dynamic web portal and without needing to install agents  or making changes to the devices.

Vulnerability Exploitation is Increasing. Cyber Defenders Must Adapt.

RegreSSHion is the latest high risk vulnerability in OpenSSH to make industry headlines, but it won’t be the last. At any given time, there are likely to be unknown, exploited vulnerabilities. Enterprises who want to protect themselves and their customers from the rising tide of exploits must proactively defend their systems against exploitation even before vulnerabilities are disclosed.

Although it is complex to exploit this vulnerability, a patient and persistent user can gain access to systems with this vulnerability. Xage’s SSH proxy feature protects not only against SSH based attacks against existing exploits but also against unpublished vulnerabilities. This is the heart of the zero trust approach enabled by Xage Security products. By applying least privilege, zero trust access policies both to ingress/egress pathways and to machine-to-machine lateral communication, security teams can prevent even zero day exploits from being weaponized by cyber adversaries 

Verizon DBIR 2024 indicated that exploitation of vulnerabilities for initial access in cyberattacks is up 180%. This escalation in exploits, compared to the past leading tactic of using stolen usernames and passwords, indicates that cyber adversaries are actively seeking out and using vulnerabilities. This warrants a change in strategy among cyber defenders.