RegreSSHion, Critical RCE Vulnerabilities, and When Should You Be Scared?
On July 1st, 2024, the cybersecurity community was rocked by the discovery of a critical Remote Code Execution (RCE) vulnerability in OpenSSH, aptly named regreSSHion. This revelation triggered a frenzy among security teams who scrambled to locate and secure their SSH servers, while security vendors rushed to develop and deploy fixes and detections. The chaos was palpable, underscoring the need for a deeper understanding of such vulnerabilities. In this article, we will explore the nature of RCE vulnerabilities, their potential impact, and how to assess their severity and urgency.
Remote Code Execution (RCE) vulnerabilities enable attackers to execute arbitrary code on a target machine remotely due to a software bug. These vulnerabilities can vary widely in their criticality, influenced by several key factors that you should check, before you panic.
One of the most critical aspects of RCE vulnerabilities is whether they are pre-authentication (pre-auth). Pre-auth vulnerabilities do not require any form of authentication, allowing attackers to execute code without needing to know any passwords, keys, or secrets. This dramatically lowers the barrier to exploitation. Notable examples include EternalBlue and regreSSHion, which have caused widespread concern due to their pre-auth nature.
Vulnerabilities that require no user interaction, known as “zero-click” (0-click) vulnerabilities, are particularly dangerous. These vulnerabilities can be exploited without the victim doing anything, such as clicking a link or opening a file. Zero-click vulnerabilities are often contrasted with “one-click” or “multi-click” vulnerabilities, which require some degree of user interaction. The FORCEDENTRY exploit for Apple iOS devices is a prime example of a 0-click vulnerability.
The ease with which a vulnerability can be exploited is another crucial factor. While having a public exploit available significantly increases the danger, other factors also play a role. Modern exploits often consist of multiple smaller vulnerabilities chained together, referred to as “primitives.” This complexity can make exploitation a challenging “cat and mouse” game between attackers and defenders. Some vulnerabilities rely on rare conditions to trigger, known as statistical exploits. This can lead to Denial of Service (DoS) attacks if the exploit fails, or make exploitation inherently difficult and unreliable.
The impact of an RCE vulnerability is also influenced by the popularity of the affected software. A vulnerability in widely used software like Windows or OpenSSH is inherently more critical than one in a little-known application. For instance, the EternalBlue vulnerability in Windows had a massive impact because of Windows’ ubiquity.
How easy it is to patch vulnerability also affects its criticality. Some vulnerabilities can be patched with a simple update, while others might require significant changes to infrastructure or even new hardware. The RowHammer vulnerability, for example, highlighted the difficulties in patching certain hardware-level vulnerabilities. Additionally, vulnerabilities that are exploitable in the default configuration of an application are particularly dangerous, as they affect a broader base of installations. Many users and organizations do not change default configurations, making these vulnerabilities more likely to be exploited.
EternalBlue is one of the most infamous RCE vulnerabilities, affecting Windows SMB functionality in its default configuration. The availability of a public exploit made millions of Windows machines vulnerable, leading to widespread exploitation and significant impact on organizations worldwide. Several factors contributed to its severity: it required only network communication with a Windows machine, making it a 0-click, pre-auth vulnerability. The Shadow Brokers leak included a functioning exploit, lowering the bar for attackers. Windows’ widespread use amplified the vulnerability’s impact, and patching legacy Windows systems proved challenging, exacerbating the vulnerability’s effects.
The regreSSHion vulnerability, discovered in OpenSSH, is another significant pre-auth RCE. Despite its alarming nature, a deeper analysis reveals mitigating factors. OpenSSH is widely used, making any vulnerability in it potentially impactful. regreSSHion is a 0-click, pre-auth vulnerability that affects the default configuration. However, the underlying issue is a race condition, a statistical vulnerability that is hard to exploit reliably. The best-known exploit requires continuous attempts over several hours and is prone to detection by security tools. While a proof-of-concept was quickly available, no fully functioning exploit has been released, and existing ones are highly complex and environment-dependent.
Despite its potential for widespread impact, the complexity of exploiting regreSSHion and the availability of mitigations reduce the immediate risk. Organizations are advised to patch critical assets, prioritizing internet-facing SSH servers.
Analyzing a risk, by understanding its criticality factors (preauth, default config, exploitability, popularity, etc) is the way to tackle the problem of a “new critical vulnerability” incident, in a very efficient way, similarly to how we broke down the EternalBlue and regreSSHion cases to their criticality factors.
Beyond analyzing the criticality and regular patching, a structured response to critical vulnerabilities is essential too. First, identify all affected assets to prioritize efforts, focusing on internet-facing and business-critical assets first. Then, automate patching where possible to ensure swift and effective remediation. Remember, the goal is to avoid panic, assess criticality accurately, and act decisively to protect your organization!
We have broken down RCE vulnerabilities into their criticality factors to provide a framework for assessing their severity. By examining case studies like EternalBlue and regreSSHion,, we have highlighted what makes certain vulnerabilities more dangerous than others. The key takeaway is to stay informed, analyze risks carefully, and prioritize actions to maintain a robust security posture.
About the Author
Jonathan Jacobi is part of the CTO office at cybersecurity startup Dazz. He focuses on product development and innovation within the company. Coming from a wide background in the cybersecurity field, Jonathan started his college degree in computer science as a 13-year-old, worked as a Vulnerability Researcher at Check Point Research, and was the youngest Microsoft employee as part of Microsoft’s MSRC.
In his military service, Jonathan served in the Elite Israeli Cyber & Intelligence Unit, 8200, in various security research and leadership positions.
Jonathan’s hands-on experience ranges from real-world security research and finding 0-day vulnerabilities to speaking at world-renowned events like TEDx and CCC (Chaos Communication Congress). He is also a Co-Founder of Perfect Blue, ranked as the #1 hacking (CTF) team in the world (2020-2021, 2023). Jonathan can be reached online at [email protected] | https://twitter.com/j0nathanj and at Dazz’ website https://www.dazz.io/who-we-are