They have named this vulnerability “regreSSHion”, since it represents the re-emergence of a bug that was previously patched in 2006
That’s a great name
The new vulnerability, assigned CVE-2024-6387, allows for unauthenticated remote code execution (RCE) with root privileges, posing a severe threat to affected systems.
Oh, fuck. Guess this is my day now.
If I’m not mistaken, it seems like this is a timing attack and you need a lot of attack attempts to make it work. If you have like a fail2ban rule for ssh it should mitigate this attack to quite some degree, right? (Of course updating would still be the best).
While statistically unlikely, it would be possible to exploit the vulnerability on the first attempt
Looks like Debian and Ubuntu have shipped patches, but I’m not seeing them show up in the RHEL-derivatives just yet, but I’m sure that’ll be soon™.
the in depth technical details
TL;DR; sigalarm handler calls syslog which isn’t safe to call from a signal handler context.
Their example exploit needed about 10k attempts to get a remote shell so it’s not fast or quiet, but a neat find regardless
