OpenSSH is a suite of software tools that enable secure remote login using the SSH encryption protocol. It is included in all glibc-based
Linuxsystems, which means virtually every major distribution except for Alpine Linux, which uses libc. BSD systems are not affected. Qualys says it does not yet know the extent to which macOS or Windows operating systems may be impacted.
Using the Censys and Shodan search engines, TRU researchers identified over 14 million potentially vulnerable OpenSSH server instances exposed to the internet. Among Qulays customers, there are around 700,000 such instances, representing 31% of the customer base.
OpenSSH versions earlier than 4.4p1 (released 2006) are vulnerable unless they've been patched for CVE-2006-5051 and CVE-2008-4109. Versions 8.5p1 (released March 2021) up to, but not including, 9.8p1 (released 1st July, 2024) are also affected, owing to the accidental removal of a critical component. The vulnerability has been fixed in version 9.8p1.
Vendors are expected to release their own patches shortly. In the meantime there are mitigating measures that organisations can take.
"If sshd can't be updated or recompiled, set LoginGraceTime to 0 in the config file," the researchers recommend. "This exposes sshd to a denial of service by using up all MaxStartups connections, but it prevents the remote code execution risk."
Computing has contacted Qualys to ask whether any exploitations of regreSSHion have been observed in the wild.