A high-severity vulnerability called regreSSHion impacts OpenSSH, and may affect Macs. Here’s everything Mac users should know.
On Monday, July 1, the maintainers of OpenSSH, an open-source software package, released a major security update. OpenSSH is built into many operating systems, including macOS—the operating system that powers Apple’s Mac computers.
The July 1 update, OpenSSH 9.8p1, patches a single vulnerability: “regreSSHion,” aka CVE-2024-6387. How might this vulnerability affect Macs? Should Mac users be concerned? What can be done about it? Let’s explore those answers.
In this article:
OpenSSH is mainly used to establish a secure connection between a computer and a remote server. It is commonly associated with the command-line tool “ssh” (short for “secure shell”) which can be used in the Mac’s Terminal app.
Macs have a feature (which can be enabled in System Settings, under General > Sharing) called Remote Login; it is off by default. If a user enables the feature, “Remote Login lets users of other computers access this computer using SSH and SFTP,” according to Apple. Anyone on the same network can then attempt to connect to your Mac silently via SSH. Behind the scenes, Remote Login uses the open-source software OpenSSH.
If you set up port forwarding on your home router or company firewall, then SSH can even be made accessible to any computer on the Internet. One company observed more than 7 million vulnerable OpenSSH servers connected to the Internet on July 1, the day of the disclosure and patch.
Qualys, the company that discovered the vulnerability, describes it as follows:
regreSSHion, CVE-2024-6387, is an unauthenticated remote code execution [(RCE) vulnerability] in OpenSSH’s server (sshd) that grants full root access. It affects the default configuration and does not require user interaction. It poses a significant exploit risk.
The summary from NIST’s National Vulnerability Database adds some additional detail:
A security regression (CVE-2006-5051) was discovered in OpenSSH’s server (sshd). There is a race condition which can lead […] sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.
NIST gives this vulnerability an 8.1 (out of 10) CVSS score, which is considered “high” severity.
The name “regreSSHion” is a pun based on SSH and the programming term “regression” (in this case, referring to the reintroduction of a past security bug).
As of macOS Sonoma 14.5, Macs include OpenSSH version 9.6p1, which is an affected version; the only fully patched version is 9.8p1 (or 9.8). You can check your own Mac’s OpenSSH version via the Terminal:
% /usr/bin/ssh -V OpenSSH_9.6p1, LibreSSL 3.3.6
(Note that macOS Sonoma currently also includes an outdated and highly vulnerable version of LibreSSL that is more than two years old. We have been covering this on The Mac Security Blog since last year, soon after macOS Sonoma’s public release. Apple has continued to ignore our inquiries about it.)
While the particular version of OpenSSH built into Macs is known to be vulnerable, attackers can only exploit the regreSSHion vulnerability under specific conditions. Qualys only notes that the vulnerability “likely” exists in macOS. However, Qualys stated that it did not investigate macOS specifically, and that the exploitability of the bug on macOS “remains uncertain.”
Publicly, Apple has remained quiet about whether macOS is affected.
Apple did not respond to Intego’s inquiry about the vulnerability. It is unclear whether Apple has done any internal testing related to regreSSHion, or whether (and when) the company plans to release a security patch.
Reportedly, customers who contacted AppleCare Enterprise Support Engineering got a generic response: “To protect our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available.”
Apple’s “Remote Login” feature, which enables remote SSH access to a Mac, is disabled by default. You can easily check whether it’s enabled on your Mac.
If you don’t use Remote Login but you find that it’s enabled on your Mac, it’s probably a good idea to disable it. This will help reduce your attack surface, i.e. the potential ways in which you could potentially be attacked.
If you use macOS Ventura, macOS Sonoma, or macOS Sequoia beta:
If you use macOS Monterey or earlier, please note that your Mac’s operating system contains numerous vulnerabilities that will never be patched. Apple provides only minimal security patches for the two previous versions of macOS, and zero patches for versions older than that. However, if your Mac doesn’t officially support macOS Sonoma (and if you’re unwilling to upgrade macOS using an unsupported method), you can disable Remote Login as follows:
To learn more about the regreSSHion vulnerability, you can read Qualys’s overview, blog post and FAQ, and technical advisory.
We briefly discussed regreSSHion on episode 351 of the Intego Mac Podcast.
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security, and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: