Critical OpenSSH Zero-Day Vulnerability Disclosed

- This vulnerability has been nicknamed "regreSSHion" because it is a regression of a similar flaw, CVE-2006-5051, that was patched nearly two decades ago. The issue was inadvertently reintroduced in October 2020 in OpenSSH version 8.5p1. - The technical root of the flaw is a race condition in the signal handler for the OpenSSH server process (sshd) on glibc-based Linux systems. An attacker can trigger this by repeatedly attempting to connect without authenticating, which can lead to heap corruption and ultimately code execution. - The vulnerability was discovered by the Qualys Threat Research Unit (TRU). Following responsible disclosure, a patch was made available in OpenSSH version 9.8p1. - Exploitation of this race condition is difficult, requiring an attacker to make numerous attempts over hours or even days to succeed. However, a public proof-of-concept (PoC) exploit has been released, making attacks more accessible. - Security scans have identified a vast attack surface, with one report estimating over 14 million potentially vulnerable OpenSSH instances exposed to the internet. Another analysis noted approximately 700,000 vulnerable internet-facing servers among its global customer base. - As a temporary mitigation, administrators can set the `LoginGraceTime` parameter to `0` in their `sshd_config` file, which prevents the specific race condition from being triggered. However, this can make the server more susceptible to denial-of-service (DoS) attacks. - The flaw affects OpenSSH versions from 8.5p1 through 9.7p1. Versions prior to 4.4p1 are also considered vulnerable unless they have been patched for the original 2006 and 2008 vulnerabilities. - A successful exploit could allow an unauthenticated attacker to gain full root privileges, enabling them to take complete control of the server, install malware, manipulate data, or create persistent backdoors.