Skip to content

Search the site

Fake OpenSSH "exploit" is a real exploit. Just not the one you thought.

Cisco says 42 products confirmed exposed to CVE-2024-6387 -- but OpenSSH exploit is malicious: Beware bogus POCs says Kaspersky

Updated July 8, 17:30 BST with news of a fresh OpenSSH race condition allocated CVE-2024-6409

A proof-of-concept (POC) exploit for the OpenSSH bug dubbed RegreSSHion that is circulating on various forums is not a working exploit – and contains malicious code designed to target security researchers.

That's according to Kaspersky in a warning that comes after Qualys said another purported POC for the critical OpenSSH vulnerability, allocated CVE-2024-6387 and disclosed on July 1, was also completely bogus.

In a post-modern twist, an archive circulating on various forums purporting to be an exploit for  CVE-2024-6387 launches a malicious file called exploit that is… in fact an exploit; just not one for RegreSSHion. 

A RegreSSHion recap

On July 1, Qualys reported that a critical vulnerability in certain versions of the OpenSSH server can be exploited remotely by an unauthenticated attacker to gain root – with potentially millions of users at risk. 

The race condition vulnerability is highly complex to exploit, but Akamai suggested 35% of machines in a given network are vulnerable. (Akamai also wrongly suggested on July 3 that a POC circulating was real and meant that this was now a “known exploited” bug; this was not correct.) 

(A technical writeup from Qualys, which identified the bug, is here. The vulnerability was dubbed regreSSHion as it is a regression of the previously patched CVE-2006-5051, which was first disclosed in 2006.)

Later on July 8 security researchers disclosed ANOTHER separate race condition RCE vulnerability in OpenSSH, allocated CVE-2024-6409.

Another OpenSSH bug. Should I be worried?

They noted: "The main difference from CVE-2024-6387 is that the race ondition and RCE potential are triggered in the privsep child process, which uns with reduced privileges compared to the parent server process. So immediate impact is lower. However, there may be differences in exploitability of these vulnerabilities in a particular scenario, which could make either one of these a more attractive choice for an attacker,
and if only one of these is fixed or mitigated then the other becomes
more relevant. In particular, the "LoginGraceTime 0" mitigation works
against both issues, whereas the "-e" mitigation only works against
CVE-2024-6387 and not (fully) against CVE-2024-6409. It may also be
possible to construct an exploit that would work against either
vulnerability probabilistically, which could decrease attack duration or
increase success rate. That said, actual exploitation of CVE-2024-6409
has not yet been attempted and thus has not been proven."

Fake OpenSSH POCs proliferate

On July 3, Qualys an alleged proof of concept "7etsuo-regreSSHion.c", "looks great but it does nothing" and is "essentially empty code."

"A working proof of concept for this vulnerability will be much longer and complex, and will take much more time to write than this..." it wrote.

Now Kaspersky has issued a warning about another pseudo-exploit

This one may be a "trap" for infosec professionals, it said. 

A malicious archive purportedly containing the POC contains malware that exploits the desire of security researchers to assess how a working exploit would communicate with a remote server, Kaspersky explained. 

The archive claims to point to a server from which a working exploit can be pulled, along with some other source code and malicious binaries. 

One of these launches a malicious file called "exploit"; it is a malware payload that looks to achieve persistence and also pull a secondary payload from the server supposedly hosting the RegreSSHion POC. 

"The malicious code is saved in a file located at the /etc/cron.hourly directory. In order to achieve persistence, it modifies the ls file and writes a copy of itself into it, repeating the execution of malicious code every time it is launched," Kaspersky said. “Apparently, the authors of the attack are counting on the fact that, when working with obviously malicious code, researchers tend to disable security solutions and focus on analyzing the exchange of data between the malware and a server vulnerable to CVE-2024-6387. Meanwhile, completely different malicious code will be used to compromise the researchers’ computers…” Naughty.

A multitude of vendors downstream continue to push fixes for  CVE-2024-6387 – with OpenSSH used in multiple products. Ubuntu, RedHat, Debian, and Amazon Linux have responded to the CVE. 

Cisco said 42 of its widely used products have already been confirmed to be exposed to the vulnerability and it is investigating scores of others. 

How worried should Blue Teams be?

Experts suggest no panic is needed. As Check Point notes: “The exploit is complex and requires a pre-emptive knowledge of the attacked Linux target as well as several hours of look-alike password brute-force attempts” – although security researchers at Wiz also noted last week that “ the exploitation process need not be continuous – since the probability of success is the same for every attempt, in theory an attacker could target a machine or set of machines over a period of several weeks, switching between multiple IP addresses between exploitation attempts, using a strategy similar to password spraying. This technique would make detection more difficult and therefore might be adopted by patient and sophisticated actors with specific target organizations in mind.”