As Hackernews has in its posts:
New OpenSSH Vulnerability Could Lead to RCE as Root on Linux Systems
RCE = Remote Code Execution , i.e. the hacker does not need an account on the system to get on the system.
This happens to be an old vulnerability (as per AI response):
The OpenSSH remote code execution vulnerability, also known as CVE-2016-0777, is a security flaw discovered in January 2016. This vulnerability affects OpenSSH versions 5.4 to 7.1 and allows an attacker to execute arbitrary code on a target system by manipulating the SSH client to leak sensitive information from the system’s memory. This can lead to unauthorized access, data theft, or system compromise. To mitigate this vulnerability, users should update their OpenSSH installations to version 7.1p2 or later.
But today’s vulnerability has to do with a “reintroduction” of this same vulnerability in new codebases:
(as per hackernews article) The vulnerability, codenamed regreSSHion, has been assigned the CVE identifier CVE-2024-6387. It resides in the OpenSSH server component, also known as sshd, which is designed to listen for connections from any of the client applications.
also
The cybersecurity firm said it identified no less than 14 million potentially vulnerable OpenSSH server instances exposed to the internet, adding it’s a regression of an already patched 18-year-old flaw tracked as CVE-2006-5051, with the problem reinstated in October 2020 as part of OpenSSH version 8.5p1. )
So regression of the old OpenSSH flaw means someone did not check the past issues, and unknowingly created this problem? Anyway it is here, so update your sshd software on all internet facing systems.
As per https://www.openssh.com/releasenotes.html#9.8p1
new version released by OpenSSH (and from their release notes:
OpenSSH 9.8 was released on 2024-07-01. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html
Security ======== This release contains fixes for two security problems, one critical and one minor. 1) Race condition in sshd(8) A critical vulnerability in sshd(8) was present in Portable OpenSSH versions between 8.5p1 and 9.7p1 (inclusive) that may allow arbitrary code execution with root privileges. Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with ASLR. Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept. Exploitation on 64-bit systems is believed to be possible but has not been demonstrated at this time. It's likely that these attacks will be improved upon. Exploitation on non-glibc systems is conceivable but has not been examined. Systems that lack ASLR or users of downstream Linux distributions that have modified OpenSSH to disable per-connection ASLR re-randomisation (yes - this is a thing, no - we don't understand why) may potentially have an easier path to exploitation. OpenBSD is not vulnerable. We thank the Qualys Security Advisory Team for discovering, reporting and demonstrating exploitability of this problem, and for providing detailed feedback on additional mitigation measures. --------------------------------------------------------------------------- If you need more information as to why one should patch/upgrade systems - contact me Also have my book "Too Late You're Hacked" that explains it in detail.