New regreSSHion OpenSSH RCE bug gives root on Linux servers
What Linux versions are impacted by the regreSSHion flaw?
The regreSSHion flaw impacts OpenSSH servers on Linux from version 8.5p1 up to, but not including 9.8p1. Versions 4.4p1 up to, but not including 8.5p1 are not vulnerable to CVE-2024-6387 thanks to a patch for CVE-2006-5051. Versions older than 4.4p1 are vulnerable to regreSSHion unless they are patched for CVE-2006-5051 and CVE-2008-4109. OpenBSD systems are not impacted by this flaw.
Are OpenBSD systems affected by the regreSSHion flaw?
OpenBSD systems are not affected by the regreSSHion flaw (CVE-2024-6387) due to a secure mechanism introduced in 2001. This mechanism prevents the vulnerability from impacting OpenBSD systems, making them safe from the unauthenticated remote code execution risk present in other glibc-based Linux systems6.
What is the regreSSHion vulnerability in OpenSSH?
The regreSSHion vulnerability (CVE-2024-6387) is a critical unauthenticated remote code execution (RCE) flaw in OpenSSH's server component (sshd) on glibc-based Linux systems. Discovered by Qualys, the vulnerability allows attackers to execute arbitrary code as root without needing to authenticate, potentially leading to complete system compromise and data theft.