Glibc-based Linux systems are vulnerable to a new bug (CVE-2024-6387) in OpenSSH's server (sshd) and should upgrade to the latest version.

Infosec researchers at Qualys published their findings today, revealing that sshd is vulnerable to a race condition that could allow an unauthenticated attacker to achieve remote code execution (RCE) on potentially hundreds of thousands of targets. Successful exploitation can give attackers root-level access to a system, allowing them to get away with virtually anything.

Of the 14 million potentially vulnerable sshd instances that show up on Censys and Shodan scans, Qualys believes that roughly 700,000 of those Internet-facing instances are possibly affected by regreSSHion – the name researchers gave the bug based on its roots.

"In our security analysis, we identified that this vulnerability is a regression of the previously patched vulnerability CVE-2006-5051, which was reported in 2006," Qualys said. "A regression in this context means that a bug, once fixed, has reappeared in a subsequent software release, usually due to changes or updates that inadvertently reintroduce the problem.